Hi, 2013/4/5 Reto Bachmann-Gmür <r...@apache.org>: > Rather than having a discussion based on assumptions I'd like to see a list > of the concrete issues so that we can evaluate: > > - The effort of fixing the issues > - The possibility and effort needed for work a rounds (as mentioned in the > answer to Rupert) > - The disadvantages for those requiring security if this issues aren't fixed > - The disadvantages for those not requiring security if this issues aren't > fixed
I agree that we need concrete things to evaluate. I see that Rupert already spent effort on fixing issues but did not create an issue for each case. Maybe this would have made things clearer and maybe Rupert can report on some details what he has fixed. Anyway, the reason why we are in the current situation and the discussion comes up again and again is IMHO exactly Retos point. Security features were introduced without careful planning and discussion. We just added security without testing all the components for security compliance first. People have agreed on including it but did not overlook the consequences. The main reason why the skeptics agreed on including it was, that it is easy to disable the security bundles on a launcher level. As I said, we do not have "default" settings - only launchers. The decision happened in the community and I think we should be more careful in the future when introducing cross-cuts. My suggestion would be to leave the full launcher as it is and prepare another launcher without the security bundles. Call it the "play" launcher or "getting started" launcher. This launcher is just for convenience for the people who do not want to load the security bundles. We could document that in productive environments we suggest to use security and that our long term goal is to support security in all bundles. -- Fabian http://twitter.com/fctwitt
