Closed ralight closed 1 year ago
Amir-Montazery
commented
2 years ago Hello,
Your project has been added to the "Community/OpenSSF Member Additions" tab of the list (https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM) for consideration. We are going through all submissions best we can to ensure proper and fair consideration for everyone who participates. Would you like to discuss your project when it comes time for the workgroup to discuss Mosquitto?
david-a-wheeler
commented
2 years ago Thanks for the self-submission, I think that's a first.
This is the most widely deployed open source MQTT broker
Can you share any data / public evidence supporting this? There are a huge number of important OSS projects, the more data we have the better we can make fair determinations.
Thanks again!
ralight
commented
2 years ago @Amir-Montazery Thank you. Yes, I'd be happy to discuss the project.
@david-a-wheeler The best numbers I have are the dockerhub numbers, which admittedly don't tell you how many deployments there are. Mosquitto has around 550M total pulls, other open source MQTT brokers have 14M, 5M, and 4M pulls. My understanding is that the pull count over a day gives a reasonable idea of the number of active instances. Mosquitto had 457k yesterday, the others had 26k, 9k, and 9k. For a comparison of scale, nginx and node had 3.6M and 2.4M pulls yesterday.
Amir-Montazery
commented
1 year ago This has been added to the latest version of the Set. Please review and comment. https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=571311621
Hello,
I'd like to humbly submit my project for consideration: Eclipse Mosquitto. This is the most widely deployed open source MQTT broker - so a server that sits on the network, accepts client connections and transfers messages between clients. It is widely used, with over 500M pulls on dockerhub. I am aware of it being used in a diverse range of industrial applications such as control of UK rail signalling, building automation, vehicle tracking, and manufacturing with plc/scada like systems, as well as in the home as part of home automation projects.
It is essentially a one man project, but I am paid to work on it.
In terms of security, it always drops privileges very quickly unless the end user explicitly tells it to run as root in the configuration file. It requires the end user to decide on the authentication strategy before it will listen on an externally accessible network port. There have unfortunately been issues reported in the past which required a CVE. I have spent a decent amount of effort improving tests to try to keep ahead of that, and have also had a bit of help from the Synopsys Defensics team in that regard.
https://mosquitto.org/ https://github.com/eclipse/mosquitto/