Re: [IANA #616232] Registration of text/vnd.debian.copyright: a media type for machine-readable copyright files.
- To: debian-policy@lists.debian.org
- Subject: Re: [IANA #616232] Registration of text/vnd.debian.copyright: a media type for machine-readable copyright files.
- From: Charles Plessy <plessy@debian.org>
- Date: Thu, 18 Oct 2012 09:36:05 +0900
- Message-id: <[🔎] 20121018003605.GB29754@falafel.plessy.net>
- In-reply-to: <rt-3.8.8-5587-1350324063-1009.616232-6-0@icann.org>
- References: <RT-Ticket-616232@icann.org> <20120829232528.GC2556@falafel.plessy.net> <87obltjmzw.fsf@windlord.stanford.edu> <20120910231018.GA18608@falafel.plessy.net> <87har5a1ce.fsf@windlord.stanford.edu> <20120911075026.GC14220@an3as.eu> <20120912004203.GD5638@falafel.plessy.net> <[🔎] 20121006024850.GA17141@plessy.org> <rt-3.8.8-5587-1350324063-1009.616232-6-0@icann.org>
Dear all,
The IESG-designated expert has reviewed our application and returned the inline
comments below.
I added my own comments below theirs.
> > Optional parameters:
> > revision - the revision number of the specification.
>
> The syntax of the revision number needs to be specified: digits,
> digits.digits, digits.digits-digits, whatever.
Given that the current revision number is 1.0, and that I do not
think that we aim at updating the format frequently, I propose
the following:
Optional parameters:
revision - the revision number of the specification (digits.digits).
> > Security considerations:
> > The machine-readable debian/copyright file format is declarative
> > and does not cause commands to be executed. However, some programs
> > that parse it may execute commands containing values of some fields.
> > Therefore an attacker may exploit some security flaws in such programs.
> > Parsers should therefore follow general practices to sanitise their
> > input.
>
> You should also specify if there are any privacy/integrity
> considerations here. I rather doubt that privacy is an issue for this
> type, but there may be cases where integrity protection is desirable.
I propose to add the following paragraphs.
The comment or license fields may be used to quote discussions where
redistribution terms have been clarified. There is no formal mechanism to
signal that a proper permission has been given to quote the discussion if
it was private.
The machine-readable debian/copyright file format does not feature mechanisms
to ensure the integrity of the file. Consider using secure transport when
needed.
I am not sure how the first paragraph is needed. What do you think ?
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: