Re: A media type for the machine-readable copyright format ?
On Tue, Sep 11, 2012 at 08:10:18AM +0900, Charles Plessy wrote: here is the information that I consider submitting to the IANA. Hi Charles, thanks for taking care of this! I'm no expert in the sort of document you're submitting, but to my layman eyes all seem good. Person email address to contact for further information: Charles Plessy ple...@debian.org […] Change controller: The Debian Project http://www.debian.org I wonder if the contact address shouldn't be something less tied to project individuals, like for instance debian-project@lists.d.o. Given there is already a separation between this and the author field (allowing to give proper credit to who worked on the application), I think it'd be better to have as contact point some role address of sort. What do you think? -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Debian Project Leader . . . . . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: A media type for the machine-readable copyright format ?
Le Tue, Sep 11, 2012 at 08:51:24AM +0200, Stefano Zacchiroli a écrit : On Tue, Sep 11, 2012 at 08:10:18AM +0900, Charles Plessy wrote: here is the information that I consider submitting to the IANA. Person email address to contact for further information: Charles Plessy ple...@debian.org […] Change controller: The Debian Project http://www.debian.org I wonder if the contact address shouldn't be something less tied to project individuals, like for instance debian-project@lists.d.o. Given there is already a separation between this and the author field (allowing to give proper credit to who worked on the application), I think it'd be better to have as contact point some role address of sort. What do you think? Hi Stefano and debian-policy@lists.d.o subscribers, I was wondering about the same, but I was worried that having a broad-readership mailing list as a contact point would create confusion about who is expected to answer. How about debian-policy@lists.d.o ? It is anyway the contact point for the specification itself. Cheers, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120911074152.ga20...@falafel.plessy.net
Re: A media type for the machine-readable copyright format ?
On Mon, Sep 10, 2012 at 04:45:53PM -0700, Russ Allbery wrote: - About security, the discussion on debian-devel leads me to think that there is no need to worry. I included a short comment suggesting that field values should be sanitised as usual. Does anybody see other potential security issues ? No, your security considerations seem reasonable to me. While it is probably very reasonable to do sanity checks as usual the as usual is a hint that the phrase might be redundant. It somehow has the value as People parsing debian/copyright should know their job. As I said in a previous mail the attacker is the same person (group of persons) who writes debian/copyright *and* all the other packaging stuff - so he would attack himself. Just my 2 Eurocents Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120911075026.gc14...@an3as.eu
Re: A media type for the machine-readable copyright format ?
On Tue, Sep 11, 2012 at 04:41:52PM +0900, Charles Plessy wrote: I wonder if the contact address shouldn't be something less tied to project individuals, like for instance debian-project@lists.d.o. Given there is already a separation between this and the author field (allowing to give proper credit to who worked on the application), I think it'd be better to have as contact point some role address of sort. What do you think? Hi Stefano and debian-policy@lists.d.o subscribers, I was wondering about the same, but I was worried that having a broad-readership mailing list as a contact point would create confusion about who is expected to answer. How about debian-policy@lists.d.o ? It is anyway the contact point for the specification itself. Hi again Charles, in fact the above is a typo of mine :-). debian-*policy*@lists.d.o is in fact what I wanted to propose. Sorry for the confusion. Cheers. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Debian Project Leader . . . . . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: A media type for the machine-readable copyright format ?
Charles Plessy ple...@debian.org writes: I was wondering about the same, but I was worried that having a broad-readership mailing list as a contact point would create confusion about who is expected to answer. How about debian-policy@lists.d.o ? It is anyway the contact point for the specification itself. That works for me. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjaomv6s@windlord.stanford.edu
Re: A media type for the machine-readable copyright format ?
Le Tue, Sep 11, 2012 at 09:50:26AM +0200, Andreas Tille a écrit : On Mon, Sep 10, 2012 at 04:45:53PM -0700, Russ Allbery wrote: - About security, the discussion on debian-devel leads me to think that there is no need to worry. I included a short comment suggesting that field values should be sanitised as usual. Does anybody see other potential security issues ? No, your security considerations seem reasonable to me. While it is probably very reasonable to do sanity checks as usual the as usual is a hint that the phrase might be redundant. It somehow has the value as People parsing debian/copyright should know their job. Hi Andreas and everybody, In my understanding of http://tools.ietf.org/html/rfc4288#section-4.6, this is what is expected for this section. For a broad readership, the recommendation is not completely tautological, as it indicates that there are best practices for input sanitisation (which may not be the case for more complex or novel security issues). To help convey this message, I changed « and » to « to » in the last sentence: Parsers should therefore follow general practices to sanitise their input. I have requested a pre-submission review to media-ty...@iana.org. http://lists.debian.org/20120912004203.gd5...@falafel.plessy.net This is not the formal submission so further comments are still very welcome in this thread. Cheers, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120912004826.ge5...@falafel.plessy.net
Re: A media type for the machine-readable copyright format ?
Dear all, here is the information that I consider submitting to the IANA. By the way, I realised that the procedure for registration of media types is being updated. Among the changes in this draft, early submission of media types is encouraged, the use of unregistered (x.) prefixes is reduced, and x- prefixes are no longer considered to be members of the unregistered tree. These x-prefixed types may be registered with no x- prefix if they are generally useful and widely deployed. See http://datatracker.ietf.org/doc/draft-ietf-appsawg-media-type-regs/ I have the following questions about my draft (see below). - Is a charset parameter helpful in the cases a program would fall back on text/plain, or is it useless or confusiong as the machine-readable copyright spec already requires files to be encoded in UTF-8 ? - Would an optional parameter revision be useful, or is this premature ? - About security, the discussion on debian-devel leads me to think that there is no need to worry. I included a short comment suggesting that field values should be sanitised as usual. Does anybody see other potential security issues ? - Type name: text Subtype name: vnd.debian.copyright Required parameters: charset - the value of charset is always UTF-8. Optional parameters: revision - the revision number of the specification. Encoding considerations: The encoding is always UTF-8. Security considerations: The machine-readable debian/copyright file format is declarative and does not cause commands to be executed. However, some programs that parse it may execute commands containing values of some fields. Therefore an attacker may exploit some security flaws in such programs. Parsers should therefore follow general practices and sanitise their input. Interoperability considerations: This media type is a subtype of text/plain in the sense of the FreeDesktop Shared MIME-info Database specification. Published specification: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Applications that use this media type: The media type vnd.debian.copyright is not yet recognised by applications. The machine-readable debian/copyright file format is for instance read and written by the 'cme' command from the Config::Model Perl module. This list is not exhaustive. Additional information: Deprecated alias names for this type: None. Magic number(s): Files usually start with the following string: Format: http://www.debian.org/doc/packaging-manuals/copyright-format/ File extension(s): No extension, but the file is usually named 'copyright'. Macintosh file type code(s): None. Person email address to contact for further information: Charles Plessy ple...@debian.org Intended usage: LIMITED USE Restrictions on usage: None. Author: Charles Plessy ple...@debian.org Change controller: The Debian Project http://www.debian.org - Your comments are very welcome, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120910231018.ga18...@falafel.plessy.net
Re: A media type for the machine-readable copyright format ?
Charles Plessy ple...@debian.org writes: I have the following questions about my draft (see below). - Is a charset parameter helpful in the cases a program would fall back on text/plain, or is it useless or confusiong as the machine-readable copyright spec already requires files to be encoded in UTF-8 ? I would leave charset in. A lot of MIME software will look at that for any text/* type and will expect 7-bit ASCII if it's not present. - Would an optional parameter revision be useful, or is this premature ? I think it's a good idea. You may get some pushback on encoding that in the subtype instead of in a parameter, but I think a parameter is the right approach. - About security, the discussion on debian-devel leads me to think that there is no need to worry. I included a short comment suggesting that field values should be sanitised as usual. Does anybody see other potential security issues ? No, your security considerations seem reasonable to me. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87har5a1ce@windlord.stanford.edu
Re: A media type for the machine-readable copyright format ?
Le Tue, Sep 04, 2012 at 08:43:17AM +0900, Charles Plessy a écrit : My personal opinion would be to follow completely SPDX's list in the next revision, but this would require 1) volunteers to submit some items to SPDX's bug tracker for inclusion in their list Hello everybody, the press release for SPDX 1.1 mentions an easier process for accommodating additional license requests. http://www.linuxfoundation.org/news-media/announcements/2012/08/linux-foundation%E2%80%99s-spdx%E2%84%A2-workgroup-releases-new-version-software http://www.spdx.org/content/spdx-license-list-process-requesting-new-licenses-be-added Please consider contributing there when you see the same new license coming regularly in your copyright files. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120906222954.ga6...@falafel.plessy.net
Re: A media type for the machine-readable copyright format ?
On Thursday 30 August 2012 01:25:28 Charles Plessy wrote: I am therefore considering to submit to the IANA a new media type, for instance text/vnd.debian.copyright, for the machine-readable copyright files following the format at http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/. What do you think ? Linux foundation is working on a standard named SPDX [1] which provides similar information (and a lot others). May be you should check with them before pushing dep-5 to an official organisation. Hope this helps [1] http://spdx.org/ -- https://github.com/dod38fr/ -o- http://search.cpan.org/~ddumont/ http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201209031723.11263@debian.org
Re: A media type for the machine-readable copyright format ?
Le Mon, Sep 03, 2012 at 05:23:10PM +0200, Dominique Dumont a écrit : On Thursday 30 August 2012 01:25:28 Charles Plessy wrote: I am therefore considering to submit to the IANA a new media type, for instance text/vnd.debian.copyright, for the machine-readable copyright files following the format at http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/. What do you think ? Linux foundation is working on a standard named SPDX [1] which provides similar information (and a lot others). May be you should check with them before pushing dep-5 to an official organisation. Hi Dominique, thanks for the comment. I am well aware of SPDX and we mention it in the machine-readable debian/copyright specification, in the section on license short names. We took care that there is a maximal compatibility between our lists. My personal opinion would be to follow completely SPDX's list in the next revision, but this would require 1) volunteers to submit some items to SPDX's bug tracker for inclusion in their list, and 2) resolve the case of the Expat license that is (rightly, in my opinion) called MIT in SPDX. More importantly, the two projects have different scopes. SPDX documents each file and the Debian policy lets the user document groups of files that have the same license. Also, SPDX supports various formats but not the Debian control data format, and our machine-readable format supports only this one. As you know well, the approach is rather to generate machine-readable debian/copyright files from SPDX files. See for instance the following blueprint at Ubuntu. https://blueprints.launchpad.net/ubuntu/+spec/other-q-spdx-gen Altogether, I think that Debian is likely to serve machine-readable debian/copyright files for at least a couple of releases, so a registered media type would not be a waste. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120903234317.ga15...@falafel.plessy.net
A media type for the machine-readable copyright format ?
Dear all, I would like to experience myself with the submission of media types to the IANA, but I have no format of mine to propose. However, Debian released this year a standard for machine-readable copyright files, which have been used informally since 2007. There are parsers that exist to produce or validate these files, and we are currently serving thousands of them through packages.debian.org, our VCS browsers. Obviously, our derivatives also use, modify and distribute these files. I am therefore considering to submit to the IANA a new media type, for instance text/vnd.debian.copyright, for the machine-readable copyright files following the format at http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/. What do you think ? -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120829232528.gc2...@falafel.plessy.net
Re: A media type for the machine-readable copyright format ?
Charles Plessy ple...@debian.org writes: I would like to experience myself with the submission of media types to the IANA, but I have no format of mine to propose. However, Debian released this year a standard for machine-readable copyright files, which have been used informally since 2007. There are parsers that exist to produce or validate these files, and we are currently serving thousands of them through packages.debian.org, our VCS browsers. Obviously, our derivatives also use, modify and distribute these files. I am therefore considering to submit to the IANA a new media type, for instance text/vnd.debian.copyright, for the machine-readable copyright files following the format at http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/. What do you think ? Sounds like a great idea to me. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87obltjmzw@windlord.stanford.edu
