carolynvs
commented
1 year ago The spec originally linked to http://wiki.laptop.org/go/Canonical_JSON but later we realized that it didn't work well for what we needed so we switched to RFC 8785 in PR #414.
Thank you for raising that we forgot to update the link to canonical json at the same time. If you'd like to submit a PR to fix the link and add a note about which specific canonical json we are following, it would be welcome!
For Porter, we use RFC 8785 (since cnab-go is a dependency). What are you using at DataDog?
Section 1.i ("The bundle.json File") states:
The link for "Canonical JSON" points to http://wiki.laptop.org/go/Canonical_JSON. However this "Canonical JSON specification" is the not the only one. In particular, RFC 8785 JSON Canonicalization Scheme (JCS) is another "Canonical JSON" specification that's gaining popularity.
The two specifications may have subtle incompatibilities, typically when it comes to the serialization of unicode strings and floating-point numbers.
You may want to insist on exactly which "Canonical JSON" specification you are refering to to avoid subtle incompatibility issues between various CNAB tools.
For instance, CNAB-Go, which seems to be the "reference implementation" uses the
github.com/cyberphone/json-canonicalizationpackage, which implements RFC 8785, which is not the spec linked to in the CNAB spec.One example of a Go package declaring to be compatible with http://wiki.laptop.org/go/Canonical_JSON is https://github.com/secure-systems-lab/go-securesystemslib/cjson.
I would suggest to