On 3/15/23 13:52, Jan Høydahl wrote:
There's a catch-22 here. Enterprises that require encryption at rest likely won't tolerate enabling a package manager that lets you download executable code from the internet during runtime, especially when that package manager is both home-grown, and largely unused and neglected.
Downloading executable code at runtime within Solr itself does seem like a VERY bad idea. I don't think we should do that at all, which includes doing it in the admin UI. In addition to potential hijacking attack vectors, some artifacts might have classloader issues if dynamically loaded at runtime.
Make it something a user does manually at the commandline with the solr script and require a service restart. Have it give the user a cryptographic signature or hash for all downloaded artifacts. We could even include those signatures in the Solr distribution so the package install can verify them, and printing them out makes it easier for the user to do their own independent verification.
Of course a truly paranoid user can copy the downloaded artifacts to another sandboxed system and obtain the signature themselves for comparison.
Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
