Because now all subscriptions are ephemeral the hub should respond with a hub.lease_seconds on every subscription.
At some point we should add an appendix with best practices to suggest that hubs should have both a min_lease_seconds and max_lease_seconds. I noticed that pubsubhubbub.appspot.com does not have a min_lease_seconds which is bad. A malicious user can subscribe lots of endpoints (which are on another site) with lease_seconds = 1 which might end up with a hub performing a DOS attach on the target site. That's not cool :-)
Because now all subscriptions are ephemeral the hub should respond with a hub.lease_seconds on every subscription.
At some point we should add an appendix with best practices to suggest that hubs should have both a min_lease_seconds and max_lease_seconds. I noticed that pubsubhubbub.appspot.com does not have a min_lease_seconds which is bad. A malicious user can subscribe lots of endpoints (which are on another site) with lease_seconds = 1 which might end up with a hub performing a DOS attach on the target site. That's not cool :-)