durin42 added a comment.
>> It's been recommended to me that we avoid the streaming flavor of >> cbor, so we'd probably just do one-shot messages. > > > > Out of curiosity, could you elaborate? Here’s the relevant excerpt of the conversation: < davidben> TBH, I haven't really been impressed by CBOR. The data model is sane, but I think they messed up the serialization. < durin42> probably still better than something bespoke on balance < davidben> I dunno, I have approximately no filter against making bespoke serializations so I'm perhaps not the best judge there. < davidben> Though I do feel people should do it more. I had to push a team away from trying to use streaming CBOR when all they really needed was like a single length prefix. Streaming CBOR is really really bad. < davidben> Whatever you do, *never* use streaming CBOR. They somehow managed to make it worse than streaming BER which is a true accomplishment. < Alex_Gaynor> 👏 < durin42> noted < davidben> (Problem is CBOR uses item count rather than item length so you need to recursively parse things to bound an element. They did it to make encoding easier but I think that was a mistake. Decoding is where you really need to worry about attacker-controlled input.) I believe davidben works on Chrome, and I can try and get a more detailed critique of the format if you’re interested. I mostly trust davidben’s judgement on things like this. REPOSITORY rHG Mercurial REVISION DETAIL https://phab.mercurial-scm.org/D3845 To: hooper, #hg-reviewers Cc: indygreg, yuja, durin42, mercurial-devel _______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel