You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Ishan Chattopadhyaya (Jira)" <ji...@apache.org> on 2019/12/11 00:10:00 UTC
[jira] [Comment Edited] (SOLR-13978) Remove bloat from default
configset
[ https://issues.apache.org/jira/browse/SOLR-13978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16993052#comment-16993052 ]
Ishan Chattopadhyaya edited comment on SOLR-13978 at 12/11/19 12:09 AM:
------------------------------------------------------------------------
I'm picking this up now and working on a patch/PR to remove bloat from default configset.
On the topic of config APIs, I am in both camps. There are, say, 9 vulnerable components, and 1 config API. It is easy to remove the 1 config API and sleep peacefully that my other 9 aren't a problem anymore. But, this is also equivalent to throwing the baby with the bath water. My preference would be to throw out those 9 vulnerable components (which are, combined, not even quarter as useful to users as the config API). Hence, I am okay to disable (by default) config API now, i.e. 8.4. But, for that *I would need broad consensus that it is only an interim measure* until all vulnerable components are removed from Solr shortly after and config API is enabled back again (by default) after that. Added SOLR-14049 to discuss this. I'll proceed on that issue once we have consensus.
was (Author: ichattopadhyaya):
I'm picking this up now and working on a patch/PR to remove bloat from default configset.
On the topic of config APIs, I am in both camps. There are, say, 9 vulnerable components, and 1 config API. It is easy to remove the 1 config API and sleep peacefully that my other 9 aren't a problem anymore. But, this is also equivalent to throwing the baby with the bath water. My preference would be to throw out those 9 vulnerable components (which are, combined, not even quarter as useful to users as the config API). Hence, I am okay to disable (by default) config API now, i.e. 8.4. But, for that *I would need broad consensus that it is only an interim measure* until all vulnerable components are removed from Solr shortly after and config API is enabled back again (by default) after that.
> Remove bloat from default configset
> -----------------------------------
>
> Key: SOLR-13978
> URL: https://issues.apache.org/jira/browse/SOLR-13978
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 8.4
>
>
> We need to review and remove all components that are not essential for search, indexing and other core functionality. Velocity, DIH, etc. should be reviewed.
> (Marking this as a 8.4 release blocker).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org