Request for mime type registration for application/vnd.pkg5.info

Chris Newman Chris.Newman at Sun.COM
Sun Mar 29 22:17:51 CEST 2009


Based on the example, this seems like a sensible file format / data model 
to provide pointers to software packages and repositories.  There actually 
isn't anything pkg5 specific about this format beyond the implicit 
assumption that the repositories use pkg5 format.  Have you considered 
adding a "repository-type" field (with "pkg5" as one type), and writing a 
formal specification so the file format might get broader adoption?

As for issues with the media type itself, the main complexity in the 
write-up are the security considerations this will inherit, including:
 * When JSON is processed in Javascript without first strictly validating 
the syntax
   on a whitelist basis (only allow known safe content), the data provider 
gains full
   access and control over your Javascript environment.  One way to 
mitigate this is
   to strictly validate the content.  I haven't assessed whether the regex 
code in
   RFC 4627 suffices (I wouldn't recommend using RFC 4627 for other things 
since it had
   poor review and includes a number of errors).  A safer mitigation for 
this risk is to
   directly parse the data and thus avoid the javascript "eval" risk.
 * As this format includes URIs that the processor is likely to follow, you 
inherit
   the problems of URIs from potentially un-trusted sources, as described 
in RFC 3986.
 * You also have an issue about disclosure of internal network names for 
the origins URI,
   if that's done on an restricted-access system.  Some people consider 
that a
   security issue, so I presume it could be omitted in that case?
 * I haven't read the formal specification but if you allow scripting or 
arbitrary
   code then see the security issues described in rfc 4288.

		- Chris

--On March 27, 2009 18:18:02 +0000 jmr <John.Rice at Sun.COM> wrote:

> Hi,
>
> I am a developer working on the Packaging System which is part of the
> OpenSolaris.org project [1]. I would like to register a mime type for
> OpenSolaris.org's IPS packaging system, pkg(5) [2]:
>
> MimeType: application/vnd.pkg5.info
> File extension(s): .p5i
> Magic number(s): None
>
> The contents of the file are in JSON format (http://www.json.org/) and
> specify one or more Publishers to add to a users system that is running
> OpenSolaris, along with an optional number of packages [3]. The mime
> type is bound to files of .p5i extension [4] and clicking on such a file
> on the OpenSolaris system launches the Package Manager application to
> process the file, prompting the user to install the named Repositories
> and Packages.
>
> I have read rfc4288:
> - Media Type Specification and Registration Procedures:
> http://tools.ietf.org/html/rfc4288
>
> And as per guidelines in Section 5, wanted to submit this mime type for
> initial review and comment before submitting a formal request via:
>
> http://www.iana.org/cgi-bin/mediatypes.pl
>
>
> Best regards,
>
> John Rice
>
> Snr. Staff Engineer
> Dublin, Ireland
> Sun Microsystems
>
> [1]: http://www.opensolaris.org/os/
> [2]: http://opensolaris.org/sc/src/pkg/gate/src/man/pkg.5.txt
> http://www.opensolaris.org/os/project/pkg/
> http://www.opensolaris.org/os/package/
> [3]: http://blogs.sun.com/jmr/entry/packagemanager_for_2009_06
> [4]: Example .p5i file:
> -----------------------------------
> {
>   "publishers": [
>
>     {
>       "name": "opensolaris.org",
>       "packages": [
>         "SUNWfirefoxl10n-pl-PL", "SUNWthunderbirdl10n-pl-PL"
>       ],
>       "repositories": [
>         {
>           "collection_type": "core",
>           "description": "opensolaris.org",
>           "legal_uris": [
>             "http://opensolaris.org/license.html"
>           ],
>           "mirrors": [],
>           "name": "opensolaris.org",
>           "origins": [
>             "http://osol-re.sfbay.sun.com/"
>           ],
>           "refresh_seconds": 43200,
>           "registration_uri": "",
>           "related_uris": []
>         }
>       ]
>     },
>
>     {
>       "name": "sunfree",
>       "packages": [
>         "IPSFWjoe"
>       ],
>       "repositories": [
>         {
>           "collection_type": "supplemental",
>           "description": "sunfree",
>           "legal_uris": [],
>           "mirrors": [],
>           "name": "sunfree",
>           "origins": [
>             "http://pkg.sunfreeware.com:9000/"
>           ],
>           "refresh_seconds": 43200,
>           "registration_uri": "",
>           "related_uris": []
>         }
>       ]
>     },
>
>     {
>       "name": "contrib",
>       "repositories": [
>         {
>           "collection_type": "supplemental",
>           "description": "contrib",
>           "legal_uris": [
>             "http://pkg.opensolaris.org/contrib/license.html"
>           ],
>           "mirrors": [],
>           "name": "contrib",
>           "origins": [
>             "http://pkg.opensolaris.org/contrib/"
>           ],
>           "refresh_seconds": 43200,
>           "registration_uri": "",
>           "related_uris": []
>         }
>       ]
>     }
>
>   ],
>   "version": 1
> }
>
>
>






More information about the Ietf-types mailing list