Re: [Spice-devel] [PATCH spice-protocol] Add Spice URI Scheme document

Tue, 08 Jan 2019 05:52:36 -0800 

On Tue, Jan 08, 2019 at 04:40:47PM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Tue, Jan 8, 2019 at 4:24 PM Christophe Fergeau <cferg...@redhat.com> wrote:
> >
> > On Wed, Dec 19, 2018 at 06:33:59PM +0400, marcandre.lur...@redhat.com wrote:
> > > +URI Parameters
> > > +--------------
> > > +
> > > +A description of host information and URI parameters is provided in
> > > +this section.  Information on the constraints of various data types is
> > > +provided in Section "Data Types".  All parameters are considered 
> > > optional;
> > > +however, a client will not be able to connect without sufficient
> > > +information.
> > > +
> > > +A parameter without a specified default value indicates that no
> > > +default value is implied by this URI scheme; however, Spice clients
> > > +can apply implementation-dependent default behaviors otherwise
> > > +consistent with this document.
> > > +
> > > +The <userinfo> value is deprecated and processed only in an
> > > +implementation-specific manner.  The <userinfo> component MUST NOT be
> > > +generated in an environment where a client supporting an updated URI
> > > +format is expected to be available.
> >
> > I don't think we should deprecate userinfo now, this is coming from the
> 
> Rationale? in spice-gtk there is a warning if you make use of it:
>              g_warning("password may be visible in process listings");

'userinfo' is username + password, I don't think we want to forbid
usernames in the URI, nor to deprecated that. Also, my understanding
from the VNC URI spec is that it's deprecated because there are
VncUsername/VncPassword replacements. In our case we don't have these.

Regarding that warning that you mention, this is for a very specific use
case, passing a URI on the command line. This document is more generic
than that, the URI with the password could be entered in a gtk text
entry, with some smartness to replace the password characters with * or
things like that, so typing the password as part of the URI is not
always terribly insecure.

Christophe

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to