Hacker Read

agentultra · 2024-04-23 15:28:10

Specifications can change over time. It sounds to me as though the developer who made the change to the system that invalidated the invariant of the original specification wasn't aware of the spec in the first place. Maybe they should have worked on the specification first before proceeding.

Sounds like a communication issue to me.

reply

winteriscoming | karma 683 | avg karma 4.3 · | 2016-12-13 08:10:33+00:00

I haven't taken a look at the spec, but assuming what's noted in that issue comment is indeed the case, then I find it surprising that something as obvious as this would not be fixed/raised during the RFC and review of the spec itself.

rockdoe | karma 1819 | avg karma 2.72 · | 2015-05-29 11:45:42+00:00

I think the original intent of the spec was to allow some flexibility... in practice supporting this flexibility lead to some vulnerabilities.

I think less than a week ago (weakdh) tptacek was mentioning on twitter that security schemes should be versioned but not extensible exactly due to these kind of errors.

reply

chriseppstein | karma 997 | avg karma 6.97 · | 2009-10-19 13:21:27

In this case, the something wrong is that the specification didn't have the foresight to create a syntax robust enough to support actually upgrading the spec for real users. Discarding unrecognized syntax is a nice, robust behavior, but it doesn't cut it.

scabarott | karma 306 | avg karma 3.36 · | 2019-08-13 17:30:05+00:00

There is a spec, just not a formal fixed in time one. There's only one reference implementation so that might as well be taken as the de-facto spec.

dllthomas | karma 14749 | avg karma 1.38 · | 2016-01-08 17:54:06

"If it isn't in the specification, it isn't legitimate, period."

You have some goal you're trying to achieve, or why was a specification written at all? If you find that the existing specification is not the optimal path to that goal, you may very well want to change the specification. In which case, it's entirely legitimate.

reply

tehbeard | karma 2331 | avg karma 2.8 · | 2022-08-19 15:45:24

That's not a standardized implementation it's a draft spec that's years old and expired.

d4kmor | karma 111 | avg karma 3.08 · | 2021-04-27 06:33:10+00:00

Interesting - I didn't knew that one. It seems very security related - I'm not sure if issues for not supporting a specific part in a spec or for improving documentation for a feature will fit in.

What do you think?

reply

__david__ | karma 6442 | avg karma 3.05 · | 2011-07-12 23:55:56+00:00

Which specification does it violate?

kolme | karma 645 | avg karma 3.21 · | 2022-05-04 02:31:35

That's the _worst_ kind of specification. "It has to be like the old one, but with this differences".

That means you have to study the old code, which is of course poorly documented and probably buggy; and then try to reproduce it in a sane way.

reply

sametmax | karma 16793 | avg karma 3.97 · | 2017-02-21 00:01:13+00:00

Let's not ad something to the spec because vendors don't implement the spec correctly. That makes no sense.

What makes you think they will implement the new one correctly ?

Plus they are wrong in the first place.

reply

trogdc | karma | avg karma · | 2021-01-11 05:48:33

Those are intentional deviations from the standard, and I think there's a reasonable assumption that those stay the same/compatible from version to version. I think the other kind are a bit more problematic, and without a standard it can be difficult to tell whether your assumptions are reasonable.

elevanation | karma 151 | avg karma 2.32 · | 2022-04-21 05:26:04

I don't see a clear "why" for fixing this explained in the post. Yet if we assume this should be fixed, how should the community fix this?

Has this been discussed at the appropriate standards bodies and conferences?

reply

alanbernstein | karma 2819 | avg karma 2.36 · | 2023-10-09 15:00:15

Ah, good to know. I'm tempted to respond that this means the spec has failed to address an important use case. But I'm certainly not going to learn enough of the spec to back up that claim.

talmand | karma 5168 | avg karma 1.45 · | 2016-08-24 16:37:34+00:00

Then the specification is wrong, needs to be updated.

kentonv | karma 16335 | avg karma 7.39 · | 2024-02-16 20:58:19

Yes, I'd add to that by pointing out that the "spec" is a de facto spec subject to Hyrum's Law, that is, people have built their apps against other implementations of the platform and inevitably don't handle any behavior not seen on those other implementations.

pvg | karma 14880 | avg karma 1.9 · | 2017-05-19 19:43:53+00:00

This might be because these are about (important) implementation details the spec quite deliberately does not specify.

captn3m0 | karma 9883 | avg karma 3.48 · | 2020-08-16 18:51:14+00:00

The new spec (2.0, not implemented by any client) is made by a committee that is also building a standard DRM implementation to go alongside it. (Search for Readium).

That was when I lost all interest in the new spec.

reply

andrewstuart | karma 21959 | avg karma 3.99 · | 2016-03-28 03:44:18+00:00

>> but that they should be protected from instability.

Appropriate protection is a warning in the docs "this code might change when the spec is finalised".

Inappropriate protection is hiding those features away behind difficult-to-configure barriers making it only possible for experts to configure their systems to run it.

reply

Kaze404 | karma 2214 | avg karma 2.11 · | 2020-03-31 22:25:25

Fair enough. It just confused me, I thought it somehow got accepted into the spec without me noticing :p