- From: Robin Berjon <robin@berjon.com>
- Date: Mon, 16 Mar 2009 17:03:39 +0100
- To: marcosc@opera.com
- Cc: "Hillebrand, Rainer" <Rainer.Hillebrand@t-mobile.net>, Arthur Barstow <art.barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Hi Marcos,
On Mar 16, 2009, at 16:00 , Marcos Caceres wrote:
> On Mon, Mar 16, 2009 at 3:44 PM, Robin Berjon <robin@berjon.com>
> wrote:
>> I would like to echo these concerns. I may have missed something
>> but it is
>> still rather unclear to me how making config.xml required improves
>> security.
>> I would expect there to be default, security-conscious options that
>> would
>> apply irrespective of the presence of a config.xml document, and
>> would also
>> be the default values for the elements it contains when they are
>> absent. I
>> don't have an extremely strong opinion here, but I do see value in
>> making
>> widget creation as simple as possible: at the simplest, just zip up
>> that
>> index.svg file you have, rename the zip, and run with it.
>
> That's what we were thinking all along. Implementation experience has
> shown this level of simplicity to be problematic. Adding a config
> encourages developers to include some metadata. This is a good thing.
I've looked through the archives but I can't find examples of your
implementation experience, could you point me to it (if you've send
it) or otherwise describe it? To make my position clear: I'm not
virulently against mandating config.xml but everything extra we
require from developers adds up to a cost so I'm likely to push back
until presented with strong evidence.
I worry about your example of encouraging developers to include
metadata: my experience is that when you require data from people who
don't see the point of providing them they either provide gibberish or
copy and paste data, and bad data are worse than no data at all. Won't
people be encourage to provide metadata in order to upload their
widgets to online repositories? That's a case in which the incentive
to "do it right" is pretty high and obvious. For quick and dirty
playing around with something, I know for a fact that I'd just copy my
config.xml from another widget; requiring it sounds a lot like all the
noise you have to write around System.out.println("Hello World") in
Java.
>> The use case of wanting to identify a widget that does not have the
>> media
>> type or file extension seems to me tenuous at best. In fact, if I
>> happen to
>> have a zip archive that happens to contain a config.xml I wouldn't
>> want
>> anything to assume that it's a widget and I've somehow made a
>> mistake. I
>> want it treated as a vanilla zip archive until such a time as I
>> decide
>> otherwise.
>
> That's why the namespace is mandatory. That guarantees "widgetness",
> no?
I'm not sure I follow you, aren't the extension or the media type
enough to guarantee a file is widgetarian? Either way, identifying a
widget (with content sniffing in this case) and trying to encourage
best practices are different issues; am I right in understanding those
are the two reasons you have to request this change?
--
Robin Berjon - http://berjon.com/
Feel like hiring me? Go to http://robineko.com/
Received on Monday, 16 March 2009 16:04:16 UTC