domfarolino
commented
2 years ago I know @annevk had some opinions over on #84, so let me request his first-pass here.
Closed baek9 closed 1 year ago
domfarolino
commented
2 years ago I know @annevk had some opinions over on #84, so let me request his first-pass here.
baek9
commented
2 years ago This largely looks good to me, but I think you want to use https://infra.spec.whatwg.org/#strictly-split instead. (Note also that you cannot initialize a variable twice. After "Let" you'll have to use "Set", but this might no longer be a problem if you refactor to use split.)
Instead of "collect" and "substring", I thought of parsing a single metadata using "split" as shown below.
Let |tokenlist| be the result of splitting |metadata| on U+002D (-) and on U+003F (?).However, this will parse the option completely when there is only one "U+003F (?)".
The specification does not explicitly define option. It appears that non-ASCII characters must be encoded/wrapped with "=?" and "?=" by RFC-2047, even if it is defined as MIME types in the future. Therefore, I thought I couldn't guarantee that the option won't contain "U+003F (?)", which shouldn't act as a delimiter.
annevk
commented
2 years ago You'd have to split on ? first and then - separately. It doesn't really matter what is in option as the processing model ignores it. A future version could amend this algorithm if it becomes significant in some manner.
baek9
commented
2 years ago You'd have to split on
?first and then-separately. It doesn't really matter what is inoptionas the processing model ignores it. A future version could amend this algorithm if it becomes significant in some manner.
That is, Along with the precise definition of option, new processing algorithms associated with it will also be considered in the future. Thank you for the explanation.
baek9
commented
2 years ago @annevk I wrote new commit for the pull request, so please review it.
baek9
commented
2 years ago I have accepted all of the feedback given by @annevk, thank you. And any other opinions? @domfarolino If not, it seems that it could be the final version of this PR. For the case of the IPR issue, I would like to agree with the non-participant license commitment for solving it.
By the way, I have a request. I want to add my name to section 6, acknowledgments. Can I change the index.bs file? or is there another way to do it?
mozfreddyb
commented
2 years ago @samuelweiler As the w3c team contact, can you help @baek9 with the non-participant license agreement?
baek9
commented
2 years ago I have accepted all of the feedback given by @annevk, thank you. And any other opinions? @domfarolino If not, it seems that it could be the final version of this PR. For the case of the IPR issue, I would like to agree with the non-participant license commitment for solving it.
By the way, I have a request. I want to add my name to section 6, acknowledgments. Can I change the index.bs file? or is there another way to do it?
@domfarolino Please check again if there are any other opinions. If no further modifications are necessary, as mozfreddyb said, I will proceed with the non-participant license agreement with the help of samuelweiler. And I would also like to ask if the contribution #110 with #111(done), #112(in progress) would be enough to put my name in section 6.
domfarolino
commented
1 year ago I think this looks fine to me, but I don't think I can submit a formal review, maybe because I don't have edit access to the repo?
@samuelweiler can you please help @baek9 out with the non-participant license agreement?
@annevk Does this look OK to you since your last review?
domfarolino
commented
1 year ago And I would also like to ask if the contribution https://github.com/w3c/webappsec-subresource-integrity/pull/110 with https://github.com/w3c/webappsec-subresource-integrity/pull/111(done), https://github.com/w3c/webappsec-subresource-integrity/pull/112(in progress) would be enough to put my name in section 6.
Good question; I suppose that's up to the editors, but since there are 9 names in that list and 25 contributors to the spec, I am left to imagine that those names are of people who materially directed the scaffolding of this specification from perhaps the very beginning... but not sure.
annevk
commented
1 year ago We should definitely acknowledge @baek9 for the issues and the effort towards addressing them. If others were overlooked we should add them too.
baek9
commented
1 year ago @annevk @domfarolino Thanks again for your review. However, I have not yet been notified of non-participant agreements.
@samuelweiler Any help with non-participant license agreements would be appreciated. Thank you.
sideshowbarker
commented
1 year ago @baek9 If you work for ETRI, the W3C prefers that you ask the W3C advisory-committee rep from ETRI — Kangchan Lee — to add you to the WebAppSec working group as a member. If you don’t know how to contact Kangchan, please let me know, and I can put you two in touch.
Otherwise, if for some reason you’re unable to join the working group as a participant from ETRI, then please let me know, and we can work out a way for you to sign the non-participant license commitment as an individual.
baek9
commented
1 year ago @sideshowbarker I am working at the Attached of Institute of ETRI. As much as the name is similar, it was part of ETRI, but now that a lot of time has passed, they are different. Therefore, participation in the WebAppSec Working Group is not a possible choice for me. For this reason, I would like to get non-participant license commitments.
sideshowbarker
commented
1 year ago @baek9 OK, understand. Given that, please create and submit a new comment with the following content:
"I Taeho Nam, commit to license all my Essential Claims both in the contribution https://github.com/w3c/webappsec-subresource-integrity/pull/110, and that become Essential Claims as a result of incorporating the contribution into the draft that existed at the time of the contribution, on the terms specified in section 5 of the W3C Patent Policy.
I represent that I am legally entitled to grant the necessary licenses for my contribution as described in the Patent Policy, especially in Section 3.4 thereof. If my employer or any other party has rights to my contributions, I represent that I have received permission to make the relevant licensing commitments according to the W3C Patent Policy on behalf of such party as if it had made the contribution under this Agreement.
I agree to comply with the disclosure obligations to the extent of my personal knowledge, as required by Section 6 of the Patent Policy.
Copyright Grant. I grant to you a perpetual (for the duration of the applicable copyright), worldwide, non-exclusive, no-charge, royalty-free, copyright license, without any obligation for accounting to me, to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, distribute, and implement any Contribution to the full extent of my copyright interest in the Contribution.
This Agreement shall be deemed to have been entered into and shall be interpreted and governed in all respects by the laws of The Commonwealth of Massachusetts and the United States of America.
sideshowbarker
commented
1 year ago @baek9 Additionally, please use https://www.w3.org/accounts/request to create a W3C account and to link it to your GitHub account.
baek9
commented
1 year ago @sideshowbarker I tried to create a W3C account, but it requires information about the employment relationship. It is essential to fill out the "Add new organization" form. Is this process unrelated to https://www.w3.org/Consortium/join.html? In other words, I want to check if the process for proceeding with a non-participant agreement is correct. Thanks.
sideshowbarker
commented
1 year ago @sideshowbarker I tried to create a W3C account, but it requires information about the employment relationship.
The https://www.w3.org/accounts/request form normally doesn’t require information about an employment relationship. But I can imagine that it might do a check on your e-mail address, and if the domain part of that e-mail address is one that’s recognized as belonging to an existing W3C member organization, the behavior changes.
If you have a different e-mail address you can register with, maybe try that.
In other words, I want to check if the process for proceeding with a non-participant agreement is correct.
The W3C system for keeping track of royalty-free patent commitments for GitHub PRs depends on there being a W3C user account for the person who authored the PR. So that‘s why it’s necessary to have a W3C account, and to have it linked to your GitHub account.
baek9
commented
1 year ago @sideshowbarker As tested, https://www.w3.org/accounts/request does not ask employment relationship if you have an e-mail address that is a domain (e.g., @etri.re.kr) of a W3C member organization, are a student, or are unemployed. Because I'm not in all cases, I need to enter the Name of the company, Country, and City, Street. And I want to confirm that this is not forcing my company to go through the process of becoming a W3C member.
sideshowbarker
commented
1 year ago Completing the https://www.w3.org/accounts/request form is definitely not forcing your company to go through the process of becoming a W3C member. Instead it’s simply just you as an individual getting a personal account.
baek9
commented
1 year ago "I Taeho Nam, commit to license all my Essential Claims both in the contribution https://github.com/w3c/webappsec-subresource-integrity/pull/110, and that become Essential Claims as a result of incorporating the contribution into the draft that existed at the time of the contribution, on the terms specified in section 5 of the W3C Patent Policy.
I represent that I am legally entitled to grant the necessary licenses for my contribution as described in the Patent Policy, especially in Section 3.4 thereof. If my employer or any other party has rights to my contributions, I represent that I have received permission to make the relevant licensing commitments according to the W3C Patent Policy on behalf of such party as if it had made the contribution under this Agreement.
I agree to comply with the disclosure obligations to the extent of my personal knowledge, as required by Section 6 of the Patent Policy.
Copyright Grant. I grant to you a perpetual (for the duration of the applicable copyright), worldwide, non-exclusive, no-charge, royalty-free, copyright license, without any obligation for accounting to me, to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, distribute, and implement any Contribution to the full extent of my copyright interest in the Contribution.
This Agreement shall be deemed to have been entered into and shall be interpreted and governed in all respects by the laws of The Commonwealth of Massachusetts and the United States of America.
baek9
commented
1 year ago @baek9 OK, understand. Given that, please create and submit a new comment with the following content:
"I Taeho Nam, commit to license all my Essential Claims both in the contribution
https://github.com/w3c/webappsec-subresource-integrity/pull/110, and that become Essential Claims as a result of incorporating the contribution into the draft that existed at the time of the contribution, on the terms specified in section 5 of the W3C Patent Policy.I represent that I am legally entitled to grant the necessary licenses for my contribution as described in the Patent Policy, especially in Section 3.4 thereof. If my employer or any other party has rights to my contributions, I represent that I have received permission to make the relevant licensing commitments according to the W3C Patent Policy on behalf of such party as if it had made the contribution under this Agreement.
I agree to comply with the disclosure obligations to the extent of my personal knowledge, as required by Section 6 of the Patent Policy.
Copyright Grant. I grant to you a perpetual (for the duration of the applicable copyright), worldwide, non-exclusive, no-charge, royalty-free, copyright license, without any obligation for accounting to me, to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, distribute, and implement any Contribution to the full extent of my copyright interest in the Contribution.
This Agreement shall be deemed to have been entered into and shall be interpreted and governed in all respects by the laws of The Commonwealth of Massachusetts and the United States of America.
Done.
baek9
commented
1 year ago @baek9 Additionally, please use https://www.w3.org/accounts/request to create a W3C account and to link it to your GitHub account.
Done. Thank you.
This modifies "3.3.2 parse metadata" to parse metadata using primitives from https://infra.spec.whatwg.org/#string instead of ABNF grammar from https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options. This makes it clear that the user agent does not need to validate the base64 digest contained in the metadata. Also, since it induces fail-open for invalid metadata, the compatibility of the SRI is guaranteed in the future.
Issue number : #84
Preview | Diff
Preview | Diff