Hi Reuben,
I'd say this is less part of wisdom then of comfort or personal taste ;)
From my experience with deploying any type of server in a production
environment I'm personally in favor of closing everything up and
add extra documentation on how to enable wanted "security breaches" for
development or operation where needed.
But again this is my personal feeling for it, and if disabling SSH is a
regression we surely don't want to do it for the 2.2.x line
but should consider it for the 3.0 line.
Regards, Achim
Am 28.03.2012 22:37, schrieb Reuben Garrett:
with due respect for those more experienced than i am, i feel it's
best to disable by default any remote access, along the lines of
"security is mandatory" [1]. sure, the deployer of an instance is
responsible for tuning security - but it's nice to help people avoid
mistakes. if necessary, it could even be deferred to a major release
if there's a real backwards-compatibility issue.
that being said, i am still a fledgling, and i defer to the
committers' wisdom.
~ Reuben
[1]: http://www.apache.org/foundation/how-it-works.html#management
(below "Philosophy")
--
- Apache Karaf<http://karaf.apache.org/> Committer& PMC
- OPS4J Pax Web<http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer&
Project Lead
- Blog<http://notizblog.nierbeck.de/>
