kinow commented on issue #1796: URL: https://github.com/apache/jena/issues/1796#issuecomment-1475758283
Jenkins had a similar request. I believe the user installing the tool must be responsible and enable the correct security levels that are expected, and having a simpler way to start the application for users & devs is useful. Said that, at some point Jenkins started getting lots of security issues (like the collections serialization attacks in Java). That, combined with the number of installations everywhere from people that just started `java -jar jenkins.war`, using Jenkins defaults, caused a lot of companies to have issues that started in the CI environment. Jenkins decided then to start strengthening up it defaults, and now it asks for a user to be created, generates a unique secure password on the terminal to use, can have different groups of plug-ins installed, … but that's a lot of complexity to maintain, and running a quick test with Jenkins became quite annoying. >How about changing the default ACL so new datasets are only writeable from localhost unless you actively modify the settings? I think @nichtich is a good compromise. We may get some user reports that they were not able to access Jena from `0.0.0.0`. Then we can point them to a page with instructions for enabling it, where the is also a big note saying what @afs said above, and links to how to secure Jena. If at that point the user just enables `0.0.0.0` without worrying about securing the server, I guess at least we cannot be blamed for telling them so. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
