Request for mime type registration for application/vnd.pkg5.info
Chris Newman
Chris.Newman at Sun.COM
Sun Mar 29 22:17:51 CEST 2009
Based on the example, this seems like a sensible file format / data model
to provide pointers to software packages and repositories. There actually
isn't anything pkg5 specific about this format beyond the implicit
assumption that the repositories use pkg5 format. Have you considered
adding a "repository-type" field (with "pkg5" as one type), and writing a
formal specification so the file format might get broader adoption?
As for issues with the media type itself, the main complexity in the
write-up are the security considerations this will inherit, including:
* When JSON is processed in Javascript without first strictly validating
the syntax
on a whitelist basis (only allow known safe content), the data provider
gains full
access and control over your Javascript environment. One way to
mitigate this is
to strictly validate the content. I haven't assessed whether the regex
code in
RFC 4627 suffices (I wouldn't recommend using RFC 4627 for other things
since it had
poor review and includes a number of errors). A safer mitigation for
this risk is to
directly parse the data and thus avoid the javascript "eval" risk.
* As this format includes URIs that the processor is likely to follow, you
inherit
the problems of URIs from potentially un-trusted sources, as described
in RFC 3986.
* You also have an issue about disclosure of internal network names for
the origins URI,
if that's done on an restricted-access system. Some people consider
that a
security issue, so I presume it could be omitted in that case?
* I haven't read the formal specification but if you allow scripting or
arbitrary
code then see the security issues described in rfc 4288.
- Chris
--On March 27, 2009 18:18:02 +0000 jmr <John.Rice at Sun.COM> wrote:
> Hi,
>
> I am a developer working on the Packaging System which is part of the
> OpenSolaris.org project [1]. I would like to register a mime type for
> OpenSolaris.org's IPS packaging system, pkg(5) [2]:
>
> MimeType: application/vnd.pkg5.info
> File extension(s): .p5i
> Magic number(s): None
>
> The contents of the file are in JSON format (http://www.json.org/) and
> specify one or more Publishers to add to a users system that is running
> OpenSolaris, along with an optional number of packages [3]. The mime
> type is bound to files of .p5i extension [4] and clicking on such a file
> on the OpenSolaris system launches the Package Manager application to
> process the file, prompting the user to install the named Repositories
> and Packages.
>
> I have read rfc4288:
> - Media Type Specification and Registration Procedures:
> http://tools.ietf.org/html/rfc4288
>
> And as per guidelines in Section 5, wanted to submit this mime type for
> initial review and comment before submitting a formal request via:
>
> http://www.iana.org/cgi-bin/mediatypes.pl
>
>
> Best regards,
>
> John Rice
>
> Snr. Staff Engineer
> Dublin, Ireland
> Sun Microsystems
>
> [1]: http://www.opensolaris.org/os/
> [2]: http://opensolaris.org/sc/src/pkg/gate/src/man/pkg.5.txt
> http://www.opensolaris.org/os/project/pkg/
> http://www.opensolaris.org/os/package/
> [3]: http://blogs.sun.com/jmr/entry/packagemanager_for_2009_06
> [4]: Example .p5i file:
> -----------------------------------
> {
> "publishers": [
>
> {
> "name": "opensolaris.org",
> "packages": [
> "SUNWfirefoxl10n-pl-PL", "SUNWthunderbirdl10n-pl-PL"
> ],
> "repositories": [
> {
> "collection_type": "core",
> "description": "opensolaris.org",
> "legal_uris": [
> "http://opensolaris.org/license.html"
> ],
> "mirrors": [],
> "name": "opensolaris.org",
> "origins": [
> "http://osol-re.sfbay.sun.com/"
> ],
> "refresh_seconds": 43200,
> "registration_uri": "",
> "related_uris": []
> }
> ]
> },
>
> {
> "name": "sunfree",
> "packages": [
> "IPSFWjoe"
> ],
> "repositories": [
> {
> "collection_type": "supplemental",
> "description": "sunfree",
> "legal_uris": [],
> "mirrors": [],
> "name": "sunfree",
> "origins": [
> "http://pkg.sunfreeware.com:9000/"
> ],
> "refresh_seconds": 43200,
> "registration_uri": "",
> "related_uris": []
> }
> ]
> },
>
> {
> "name": "contrib",
> "repositories": [
> {
> "collection_type": "supplemental",
> "description": "contrib",
> "legal_uris": [
> "http://pkg.opensolaris.org/contrib/license.html"
> ],
> "mirrors": [],
> "name": "contrib",
> "origins": [
> "http://pkg.opensolaris.org/contrib/"
> ],
> "refresh_seconds": 43200,
> "registration_uri": "",
> "related_uris": []
> }
> ]
> }
>
> ],
> "version": 1
> }
>
>
>
More information about the Ietf-types
mailing list