activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Shannon <christopher.l.shan...@gmail.com>
Subject Re: [DISCUSS] Removing the Web Console
Date Fri, 30 Sep 2016 10:05:33 GMT
John, you'd have to search the archives but if you look at the history
Hawt.io was brought in as the console but backed out.  I think there was
disagreement about having a RH product as part of the distribution or
something like that with branding.  This was before my time contributing so
someone who was involved with the discussions back then can probably chime
in.  I know there was quite a large discussion on the issue.

I do agree with Jim that having a console is useful but I would prefer to
have something 3rd party as a console whether that is Hawt.io or something
else.  I personally would love to just use Hawt.io and I think it is a good
product (and I don't work for RH).  However even if we don't bundle Hawt.io
with ActiveMQ users can still use it, they just have to install it separate.

Ultimately just don't think we should be in the business of trying to
provide a web console (or any software for that matter) if we aren't going
to provide any support for it as it will just stay buggy and vulnerable to
exploits.

This also brings up another point...I suppose we should look into some sort
of web console support for Artemis as well (ie writing a plugin for
Hawt.io, etc)

On Thu, Sep 29, 2016 at 9:47 PM, John D. Ament <johndament@apache.org>
wrote:

> Just wondering - considering where a number of committers work.  Why not
> leverage hawt.io as a new console?
>
> John
>
> On Thu, Sep 29, 2016 at 7:45 PM Jim Gomes <jgomes@apache.org> wrote:
>
> > Thanks for getting the discussion going again.  You bring up some
> > interesting points.  As stale as the console may be, I still find it
> > incredibly useful, and would hope that it will remain until a replacement
> > option is available.  I have found moving to Apache Artemis to feel like
> > I'm moving backwards because there is no admin console for it.
> >
> > For those that may view it as a security risk, it is a simple matter to
> > disable it.  If it were to be replaced, what would be some potential
> > replacements? Could the most vulnerable parts of it be removed while
> still
> > remaining useful?  I mostly use it for knowing what clients are
> connected,
> > how many messages have been sent to destinations, and things like that. I
> > can't see how those limited functions would be difficult to keep, nor how
> > they could be a security issue.
> >
> > On Wed, Sep 28, 2016 at 8:18 AM Christopher Shannon <
> > christopher.l.shannon@gmail.com> wrote:
> >
> > > First, I know this topic was brought up back in January 2014 and there
> > were
> > > a lot of discussions about what to do about it  and ultimately nothing
> > > happened.  However, it has been nearly 3 years since the last time this
> > > subject was brought up and absolutely nothing has changed so I think it
> > is
> > > time to bring it up again and see what people's current opinions are.
> > >
> > > The Web Console is extremely out of date and since the last discussions
> > on
> > > the subject is still completely un-maintained.  It is buggy and has had
> > > many security vulnerabilities that keep popping up including several
> that
> > > have been reported over the past year.  In the past 3 years no one has
> > > shown any interest in contributing fixes to the console to maintain it.
> > > Essentially no work has gone into the console except for security
> fixes.
> > >
> > > Also, I know there was talk about moving it into a sub project however
> I
> > > don't think that really solves anything.  The code would just be moved
> > to a
> > > new location and still be un-maintained and full of potential security
> > > vulnerabilities.
> > >
> > > So my preference would be just to EOL the console and remove it form
> > future
> > > versions. However, if there are people who really still want to keep it
> > > then at the very least I think it should go into a sub project along
> with
> > > some sort of warning that says it is deprecated and to use at your own
> > > risk, etc.
> > >
> > > Thoughts?
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message