- From: Innovimax SARL <innovimax@gmail.com>
- Date: Fri, 8 Jun 2007 11:26:04 +0200
- To: "Alex Milowski" <alex@milowski.org>
- Cc: public-xml-processing-model-wg <public-xml-processing-model-wg@w3.org>
As a fail fast advocate, I prefer strongly the position that keep NOTHING be passed by default As a user, when I would call for an external pipeline, I would just include it, then run it Then there would be some errors telling me that some required parameters by an XSLT stylesheet are not available Then I will decide to ALLOW them all or to select some to make them available As a more bigger timeframe, it will enforce pipeline providers to make sure they use only the parameters they want and no more to prevent unexpected side effects I prefer to burden to be shared between users and pipeline providers At the opposite, your proposal says " Let's do the magic, but the fall for the user would be bigger when he/she will take hours to find nasty side effects" I don't think it's the paradigm I vote for Mohamed On 6/7/07, Alex Milowski <alex@milowski.org> wrote: > > We had a discussion today and a straw poll about parameters to the > pipeline and whether or not they are passed to steps by default. I think > this is expected behavior in the case where a user takes an XSLT > transformation and then places it in a simple pipeline with some > set of pre-steps like XInclude. > > I reject the argument against this because of security concern as: > > * parameters are no different than pipeline inputs or outputs in > terms of security. That is, if you are concerned about pipeline > invocation from a security perspective, all inputs--xml or parameters--are > equally troubling. > > * the pipeline author now has the control to exclude pipeline > parameters from a step. This means a pipeline author can write > a "secure step" than can't be affected by pipeline parameters > > * true security relies upon securing the execution environment from > doing harm to the local system (e.g. as a "jail" or "secure VM"). As such, > parameters, inputs, and outputs have little to do with this. > > -- > --Alex Milowski > "The excellence of grammar as a guide is proportional to the paucity of the > inflexions, i.e. to the degree of analysis effected by the language > considered." > > Bertrand Russell in a footnote of Principles of Mathematics > > -- Innovimax SARL Consulting, Training & XML Development 9, impasse des Orteaux 75020 Paris Tel : +33 8 72 475787 Fax : +33 1 4356 1746 http://www.innovimax.fr RCS Paris 488.018.631 SARL au capital de 10.000 €
Received on Friday, 8 June 2007 09:26:14 UTC