[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A media type for the machine-readable copyright format ?

Le Tue, Sep 11, 2012 at 09:50:26AM +0200, Andreas Tille a écrit :
> On Mon, Sep 10, 2012 at 04:45:53PM -0700, Russ Allbery wrote:
> > 
> > >  - About security, the discussion on debian-devel leads me to think that
> > >  there is no need to worry.  I included a short comment suggesting that
> > >  field values should be sanitised as usual.  Does anybody see other
> > >  potential security issues ?
> > 
> > No, your security considerations seem reasonable to me.
> While it is probably very reasonable to do sanity checks as usual the
> "as usual" is a hint that the phrase might be redundant.  It somehow has
> the value as "People parsing debian/copyright should know their job."

Hi Andreas and everybody,

In my understanding of http://tools.ietf.org/html/rfc4288#section-4.6, this is
what is expected for this section.  For a broad readership, the recommendation
is not completely tautological, as it indicates that there are best practices
for input sanitisation (which may not be the case for more complex or novel
security issues).  To help convey this message, I changed « and » to « to » in
the last sentence:

  Parsers should therefore follow general practices to sanitise their input. 

I have requested a pre-submission review to media-types@iana.org.


This is not the formal submission so further comments are still very welcome in
this thread.


Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to: