qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Configuration for security.
Date Thu, 07 May 2015 09:12:21 GMT
On Wed, May 6, 2015 at 5:09 PM, Andrew Stitcher <astitcher@redhat.com>
wrote:

> I agree with this restatement of your position 100% - user configurable
> settings are evil.
>

I assume you are talking mainly proton here and I'm not sure what would be
the impact on me as an user and owner of AMQP / Qpid based messaging
infrastructure.

But as a user, I see this differently. As far as I know, Qpid has no
concept for supporting older versions and doesn't seem to release any
security fixes for older versions. In case a security issue is discovered
... with detailed configuration options the users of older releases might
be able to secure their software just by re-configuring it. Without them,
they will have to wait for next release and will be most probably forced to
upgrade to new major release. If you look at the past year or two, for
example SSL/TLS had its fair share of issues like insecure SSL versions or
encryption algorithms.

>From this perspective I like the initial suggestion from Alan - to have a
top level setting to simplify the configuration and "change the defaults"
and at the same time have a fine grained control for those who need them.

J.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message