Re: [IANA #616232] Registration of text/vnd.debian.copyright: a media type for machine-readable copyright files.

[Charles Plessy <plessy@debian.org>]

Dear all,

The IESG-designated expert has reviewed our application and returned the inline
comments below.

I added my own comments below theirs.

> > Optional parameters:
> > revision - the revision number of the specification.
> 
> The syntax of the revision number needs to be specified: digits,
> digits.digits, digits.digits-digits, whatever.
 
Given that the current revision number is 1.0, and that I do not
think that we aim at updating the format frequently, I propose
the following:

  Optional parameters:
  revision - the revision number of the specification (digits.digits).

> > Security considerations:
> > The machine-readable debian/copyright file format is declarative
> > and does not cause commands to be executed. However, some programs
> > that parse it may execute commands containing values of some fields.
> > Therefore an attacker may exploit some security flaws in such programs.
> > Parsers should therefore follow general practices to sanitise their
> > input.
> 
> You should also specify if there are any privacy/integrity
> considerations here. I rather doubt that privacy is an issue for this
> type, but there may be cases where integrity protection is desirable.

I propose to add the following paragraphs.

  The comment or license fields may be used to quote discussions where
  redistribution terms have been clarified.  There is no formal mechanism to
  signal that a proper permission has been given to quote the discussion if
  it was private.

  The machine-readable debian/copyright file format does not feature mechanisms
  to ensure the integrity of the file.  Consider using secure transport when
  needed.

I am not sure how the first paragraph is needed.  What do you think ?

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan