On 10/13/2018 11:41 AM, Martin Gainty wrote:
MG>that would only be true if your support didnt spend all their time
on self-serving evasive answers
MG>look at the 100s of JIRA requests that were torpedoed by MarkTrump
Are you TRYING to start a flamewar? I may regret asking this, but I'm
curious whether that was directed at us, or at Tomcat. If there are
Lucene/Solr issues in Jira that you think aren't getting the attention
they need, I'm interested in at least taking a look at them.
MG>TC drags their feet on SSL conformance
MG>no matter.. TLS v1.3 is the new standard and I guarantee you
MG>TC will never catch up to that standard
MG>implement jetty 9.4.12
I have not been closely following discussions about TLS 1.3, and in
particular don't know anything about it in relation to Tomcat, other
than Christopher's comment that the next releases of Tomcat will support
it if the JVM does.
I don't know that TLS 1.3 is super important for Solr. If somebody
places a Solr install in a network location where earlier TLS versions
really aren't good enough, they're asking for problems, no matter what
security measures they've implemented. Solr should have network-level
isolation from any people or systems that cannot be trusted. If
physical access and network access are suitably restricted, there's
little need for additional security measures, including encryption.
This doesn't mean I am opposed to encryption efforts, but I'd like to
find a way to address ease-of-use considerations. TLS with a Java
program is always a bit of a nightmare. I have some ideas about making
it a lot easier, but nowhere near as much free time as I need to explore
them.
It would be fascinating to witness knowledgeable advocates from all of
the projects we could use for network support go head to head to try and
convince us which is better long-term ... as long as the discussion
remains civil. Jetty, Tomcat, and Netty are the likely candidates.
Just for fun, I loaded up the master branch into eclipse, removed Jetty
from the ivy dependencies in Solr, and then rebuilt the eclipse
project. I was quite surprised to see there were only five compile
errors, and they showed up in only two classes, both in the test code.
Whoever wrote the Jetty integration for tests was thinking ahead and
kept that code pretty well isolated. So maybe it won't take all that
much coding to switch the test infrastructure.
I am not technically or philosophically opposed to the idea of using
Tomcat to power a new major version of Solr, if the cost/benefit ratio
is acceptable and provable.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
