On Wed, May 6, 2015 at 5:09 PM, Andrew Stitcher <[email protected]> wrote:
> I agree with this restatement of your position 100% - user configurable > settings are evil. > I assume you are talking mainly proton here and I'm not sure what would be the impact on me as an user and owner of AMQP / Qpid based messaging infrastructure. But as a user, I see this differently. As far as I know, Qpid has no concept for supporting older versions and doesn't seem to release any security fixes for older versions. In case a security issue is discovered ... with detailed configuration options the users of older releases might be able to secure their software just by re-configuring it. Without them, they will have to wait for next release and will be most probably forced to upgrade to new major release. If you look at the past year or two, for example SSL/TLS had its fair share of issues like insecure SSL versions or encryption algorithms. >From this perspective I like the initial suggestion from Alan - to have a top level setting to simplify the configuration and "change the defaults" and at the same time have a fine grained control for those who need them. J.
