You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Oleg Kalnichevski <ol...@apache.org> on 2014/08/28 11:20:04 UTC
[Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>
> > I have pretty much completely rewritten every bit of code related to
> > hostname verification in SVN trunk.
> >
> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
> >
> > I would truly appreciate someone doing a peer review of the changes
> > and / or giving me feedback with regards to further improvements.
>
> Looks good. Couple of thoughts
>
> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>
> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>
> https://publicsuffix.org/list/effective_tld_names.dat
>
Folks
It turns out that we already have a substantial amount of code for
publicsuffix.org support in our 'cookie' module. It was contributed by
Ortwin 'Odi' Glueck some while ago.
I would like to enhance the existing implementation and also extend its
test coverage.
There is a set of test scenarios distributed by Mozilla, which I would
like to re-use
http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
It is distributed as Creative Commons zero copyright. We can incorporate
those test scenarios. Do we need to add attribution clause to our NOTICE
and Zero Copyright license to our LICENSE file?
What do you think?
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by sebb <se...@gmail.com>.
On 28 August 2014 20:22, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Thu, 2014-08-28 at 20:19 +0100, sebb wrote:
>> On 28 August 2014 20:11, Oleg Kalnichevski <ol...@apache.org> wrote:
>> > On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>> >> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>> >> > On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>> >> >> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>> >> >>
>> >> >> > I have pretty much completely rewritten every bit of code related to
>> >> >> > hostname verification in SVN trunk.
>> >> >> >
>> >> >> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>> >> >> >
>> >> >> > I would truly appreciate someone doing a peer review of the changes
>> >> >> > and / or giving me feedback with regards to further improvements.
>> >> >>
>> >> >> Looks good. Couple of thoughts
>> >> >>
>> >> >> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>> >> >>
>> >> >> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>> >> >>
>> >> >> https://publicsuffix.org/list/effective_tld_names.dat
>> >> >>
>> >> >
>> >> > Folks
>> >> >
>> >> > It turns out that we already have a substantial amount of code for
>> >> > publicsuffix.org support in our 'cookie' module. It was contributed by
>> >> > Ortwin 'Odi' Glueck some while ago.
>> >> >
>> >> > I would like to enhance the existing implementation and also extend its
>> >> > test coverage.
>> >> >
>> >> > There is a set of test scenarios distributed by Mozilla, which I would
>> >> > like to re-use
>> >> >
>> >> > http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>> >> >
>> >> > It is distributed as Creative Commons zero copyright. We can incorporate
>> >> > those test scenarios. Do we need to add attribution clause to our NOTICE
>> >> > and Zero Copyright license to our LICENSE file?
>> >> >
>> >> > What do you think?
>> >>
>> >> The rule for adding stuff to NOTICE is here:
>> >>
>> >> http://www.apache.org/legal/resolved.html#required-third-party-notices
>> >>
>> >> What is the exact wording of the license used by Mozilla?
>> >> Is there a URL for it?
>> >>
>> >
>> > The license can be found here:
>> >
>> > http://creativecommons.org/publicdomain/zero/1.0/
>>
>> That's not actually the license, nor does the link to the full text
>> appear to be the text of the license.
>>
>> I was after the link to the license details on the Mozilla site.
>>
>
> This is all we have [1]
>
> ---
> // Any copyright is dedicated to the Public Domain.
> // http://creativecommons.org/publicdomain/zero/1.0/
> ---
AFAICT, there is no attribution requirement so no need to update NOTICE.
However, it's not clear what needs to go in the LICENSE file as it is
not clear what the license text is.
> Oleg
>
> [1]
> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577
postmortem
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2014-08-28 at 20:19 +0100, sebb wrote:
> On 28 August 2014 20:11, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
> >> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
> >> > On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
> >> >> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
> >> >>
> >> >> > I have pretty much completely rewritten every bit of code related to
> >> >> > hostname verification in SVN trunk.
> >> >> >
> >> >> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
> >> >> >
> >> >> > I would truly appreciate someone doing a peer review of the changes
> >> >> > and / or giving me feedback with regards to further improvements.
> >> >>
> >> >> Looks good. Couple of thoughts
> >> >>
> >> >> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
> >> >>
> >> >> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
> >> >>
> >> >> https://publicsuffix.org/list/effective_tld_names.dat
> >> >>
> >> >
> >> > Folks
> >> >
> >> > It turns out that we already have a substantial amount of code for
> >> > publicsuffix.org support in our 'cookie' module. It was contributed by
> >> > Ortwin 'Odi' Glueck some while ago.
> >> >
> >> > I would like to enhance the existing implementation and also extend its
> >> > test coverage.
> >> >
> >> > There is a set of test scenarios distributed by Mozilla, which I would
> >> > like to re-use
> >> >
> >> > http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
> >> >
> >> > It is distributed as Creative Commons zero copyright. We can incorporate
> >> > those test scenarios. Do we need to add attribution clause to our NOTICE
> >> > and Zero Copyright license to our LICENSE file?
> >> >
> >> > What do you think?
> >>
> >> The rule for adding stuff to NOTICE is here:
> >>
> >> http://www.apache.org/legal/resolved.html#required-third-party-notices
> >>
> >> What is the exact wording of the license used by Mozilla?
> >> Is there a URL for it?
> >>
> >
> > The license can be found here:
> >
> > http://creativecommons.org/publicdomain/zero/1.0/
>
> That's not actually the license, nor does the link to the full text
> appear to be the text of the license.
>
> I was after the link to the license details on the Mozilla site.
>
This is all we have [1]
---
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
---
Oleg
[1]
http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577
postmortem
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Fri, 2014-08-29 at 12:15 +0200, Dirk-Willem van Gulik wrote:
> > On 29 Aug 2014, at 10:18, Oleg Kalnichevski <ol...@apache.org> wrote:
> >
> > On Thu, 2014-08-28 at 22:34 +0100, sebb wrote:
> >> On 28 August 2014 20:32, Asankha C. Perera <as...@apache.org> wrote:
> >
> > ...
> >
> >>> I think that is the legal text.. but for the NOTICE file we could possibly
> >>> use just the following two lines to keep it short?
> >>>
> >>>
> >>> // Any copyright is dedicated to the Public Domain.
> >>> // http://creativecommons.org/publicdomain/zero/1.0/
> >>>
> >>
> >> That would not be sufficient, as it is not clear to what the lines refer.
> >>
> >> However, we should not add anything to NOTICE unless it is _required_.
> >> This does not appear to be the case here.
> >>
> >> NOTICE is for _required_ attributions.
> >>
> >
> > What does this mean in plain English? We apparently are not required to
> > make a formal attribution to the original author. Can I go ahead and
> > copy the test data to HC test code tree?
>
>
> These things are not that black and white.
>
> Part of it is courtesy; part of it is leaving enough breadcrums for our peers
> 20+ year later -and- for our end users when they need to sort through IP
> issues.
>
> So I suggest that:
>
> - leave NOTICE as is - as it is for the more ‚you must read’ this
> sort of things.
>
> - Add a section in the LICENSE file -OR- a extra file in the publicsuffic
> directory in which you import the publicsuffix data which says
> something like:
>
> "
> These files/directory/XX have been included under a CC0 1.0
> Public Domain Dedication (url). The original can be found
> at url.
> „
>
> And in any case - put a note in the release notes. Especially if you go down the
> path of just a file with the directory as opposed to something at the end
> of the license file.
>
> That should make it easy for anyone to find the information reasonably easy; without
> cluttering things up too much.
>
> Thanks,
>
> Dw.
>
>
May all this licensing stuff burn in hell. I'll run the tests locally to
make sure our implementation is compliant but will not commit the tests
to the repository.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> On 29 Aug 2014, at 10:18, Oleg Kalnichevski <ol...@apache.org> wrote:
>
> On Thu, 2014-08-28 at 22:34 +0100, sebb wrote:
>> On 28 August 2014 20:32, Asankha C. Perera <as...@apache.org> wrote:
>
> ...
>
>>> I think that is the legal text.. but for the NOTICE file we could possibly
>>> use just the following two lines to keep it short?
>>>
>>>
>>> // Any copyright is dedicated to the Public Domain.
>>> // http://creativecommons.org/publicdomain/zero/1.0/
>>>
>>
>> That would not be sufficient, as it is not clear to what the lines refer.
>>
>> However, we should not add anything to NOTICE unless it is _required_.
>> This does not appear to be the case here.
>>
>> NOTICE is for _required_ attributions.
>>
>
> What does this mean in plain English? We apparently are not required to
> make a formal attribution to the original author. Can I go ahead and
> copy the test data to HC test code tree?
These things are not that black and white.
Part of it is courtesy; part of it is leaving enough breadcrums for our peers
20+ year later -and- for our end users when they need to sort through IP
issues.
So I suggest that:
- leave NOTICE as is - as it is for the more ‚you must read’ this
sort of things.
- Add a section in the LICENSE file -OR- a extra file in the publicsuffic
directory in which you import the publicsuffix data which says
something like:
"
These files/directory/XX have been included under a CC0 1.0
Public Domain Dedication (url). The original can be found
at url.
„
And in any case - put a note in the release notes. Especially if you go down the
path of just a file with the directory as opposed to something at the end
of the license file.
That should make it easy for anyone to find the information reasonably easy; without
cluttering things up too much.
Thanks,
Dw.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577
postmortem
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2014-08-28 at 22:34 +0100, sebb wrote:
> On 28 August 2014 20:32, Asankha C. Perera <as...@apache.org> wrote:
...
> > I think that is the legal text.. but for the NOTICE file we could possibly
> > use just the following two lines to keep it short?
> >
> >
> > // Any copyright is dedicated to the Public Domain.
> > // http://creativecommons.org/publicdomain/zero/1.0/
> >
>
> That would not be sufficient, as it is not clear to what the lines refer.
>
> However, we should not add anything to NOTICE unless it is _required_.
> This does not appear to be the case here.
>
> NOTICE is for _required_ attributions.
>
Sebastian,
What does this mean in plain English? We apparently are not required to
make a formal attribution to the original author. Can I go ahead and
copy the test data to HC test code tree?
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by sebb <se...@gmail.com>.
On 28 August 2014 20:32, Asankha C. Perera <as...@apache.org> wrote:
> On 08/29/2014 12:49 AM, sebb wrote:
>>
>> On 28 August 2014 20:11, Oleg Kalnichevski <ol...@apache.org> wrote:
>>>
>>> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>>>>
>>>> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>>>>>
>>>>> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>>>>>>
>>>>>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org>
>>>>>> het volgende geschreven:
>>>>>>
>>>>>>> I have pretty much completely rewritten every bit of code related to
>>>>>>> hostname verification in SVN trunk.
>>>>>>>
>>>>>>>
>>>>>>> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>>>>>>>
>>>>>>> I would truly appreciate someone doing a peer review of the changes
>>>>>>> and / or giving me feedback with regards to further improvements.
>>>>>>
>>>>>> Looks good. Couple of thoughts
>>>>>>
>>>>>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>>>>>
>>>>>> My guess is that longer term you will get too many specials - and the
>>>>>> end game is parsing something like https://publicsuffix.org/ and
>>>>>> specifically
>>>>>>
>>>>>> https://publicsuffix.org/list/effective_tld_names.dat
>>>>>>
>>>>> Folks
>>>>>
>>>>> It turns out that we already have a substantial amount of code for
>>>>> publicsuffix.org support in our 'cookie' module. It was contributed by
>>>>> Ortwin 'Odi' Glueck some while ago.
>>>>>
>>>>> I would like to enhance the existing implementation and also extend its
>>>>> test coverage.
>>>>>
>>>>> There is a set of test scenarios distributed by Mozilla, which I would
>>>>> like to re-use
>>>>>
>>>>>
>>>>> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>>>>>
>>>>> It is distributed as Creative Commons zero copyright. We can
>>>>> incorporate
>>>>> those test scenarios. Do we need to add attribution clause to our
>>>>> NOTICE
>>>>> and Zero Copyright license to our LICENSE file?
>>>>>
>>>>> What do you think?
>>>>
>>>> The rule for adding stuff to NOTICE is here:
>>>>
>>>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>>>
>>>> What is the exact wording of the license used by Mozilla?
>>>> Is there a URL for it?
>>>>
>>> The license can be found here:
>>>
>>> http://creativecommons.org/publicdomain/zero/1.0/
>>
>> That's not actually the license, nor does the link to the full text
>> appear to be the text of the license.
>>
>> I was after the link to the license details on the Mozilla site.
>
> I think that is the legal text.. but for the NOTICE file we could possibly
> use just the following two lines to keep it short?
>
>
> // Any copyright is dedicated to the Public Domain.
> // http://creativecommons.org/publicdomain/zero/1.0/
>
That would not be sufficient, as it is not clear to what the lines refer.
However, we should not add anything to NOTICE unless it is _required_.
This does not appear to be the case here.
NOTICE is for _required_ attributions.
> asankha
>
>
> --
> Asankha C. Perera
> AdroitLogic, http://adroitlogic.org
>
> http://esbmagic.blogspot.com
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by "Asankha C. Perera" <as...@apache.org>.
On 08/29/2014 12:49 AM, sebb wrote:
> On 28 August 2014 20:11, Oleg Kalnichevski <ol...@apache.org> wrote:
>> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>>> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>>>> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>>>>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>>>>>
>>>>>> I have pretty much completely rewritten every bit of code related to
>>>>>> hostname verification in SVN trunk.
>>>>>>
>>>>>> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>>>>>>
>>>>>> I would truly appreciate someone doing a peer review of the changes
>>>>>> and / or giving me feedback with regards to further improvements.
>>>>> Looks good. Couple of thoughts
>>>>>
>>>>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>>>>
>>>>> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>>>>>
>>>>> https://publicsuffix.org/list/effective_tld_names.dat
>>>>>
>>>> Folks
>>>>
>>>> It turns out that we already have a substantial amount of code for
>>>> publicsuffix.org support in our 'cookie' module. It was contributed by
>>>> Ortwin 'Odi' Glueck some while ago.
>>>>
>>>> I would like to enhance the existing implementation and also extend its
>>>> test coverage.
>>>>
>>>> There is a set of test scenarios distributed by Mozilla, which I would
>>>> like to re-use
>>>>
>>>> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>>>>
>>>> It is distributed as Creative Commons zero copyright. We can incorporate
>>>> those test scenarios. Do we need to add attribution clause to our NOTICE
>>>> and Zero Copyright license to our LICENSE file?
>>>>
>>>> What do you think?
>>> The rule for adding stuff to NOTICE is here:
>>>
>>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>>
>>> What is the exact wording of the license used by Mozilla?
>>> Is there a URL for it?
>>>
>> The license can be found here:
>>
>> http://creativecommons.org/publicdomain/zero/1.0/
> That's not actually the license, nor does the link to the full text
> appear to be the text of the license.
>
> I was after the link to the license details on the Mozilla site.
I think that is the legal text.. but for the NOTICE file we could
possibly use just the following two lines to keep it short?
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
asankha
--
Asankha C. Perera
AdroitLogic, http://adroitlogic.org
http://esbmagic.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by sebb <se...@gmail.com>.
On 28 August 2014 20:11, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>> > On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>> >> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>> >>
>> >> > I have pretty much completely rewritten every bit of code related to
>> >> > hostname verification in SVN trunk.
>> >> >
>> >> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>> >> >
>> >> > I would truly appreciate someone doing a peer review of the changes
>> >> > and / or giving me feedback with regards to further improvements.
>> >>
>> >> Looks good. Couple of thoughts
>> >>
>> >> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>> >>
>> >> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>> >>
>> >> https://publicsuffix.org/list/effective_tld_names.dat
>> >>
>> >
>> > Folks
>> >
>> > It turns out that we already have a substantial amount of code for
>> > publicsuffix.org support in our 'cookie' module. It was contributed by
>> > Ortwin 'Odi' Glueck some while ago.
>> >
>> > I would like to enhance the existing implementation and also extend its
>> > test coverage.
>> >
>> > There is a set of test scenarios distributed by Mozilla, which I would
>> > like to re-use
>> >
>> > http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>> >
>> > It is distributed as Creative Commons zero copyright. We can incorporate
>> > those test scenarios. Do we need to add attribution clause to our NOTICE
>> > and Zero Copyright license to our LICENSE file?
>> >
>> > What do you think?
>>
>> The rule for adding stuff to NOTICE is here:
>>
>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>
>> What is the exact wording of the license used by Mozilla?
>> Is there a URL for it?
>>
>
> The license can be found here:
>
> http://creativecommons.org/publicdomain/zero/1.0/
That's not actually the license, nor does the link to the full text
appear to be the text of the license.
I was after the link to the license details on the Mozilla site.
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by sebb <se...@gmail.com>.
On 28 August 2014 20:18, Asankha C. Perera <as...@apache.org> wrote:
> On 08/29/2014 12:41 AM, Oleg Kalnichevski wrote:
>>
>> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>>>
>>> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>>>>
>>>> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>>>>>
>>>>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org>
>>>>> het volgende geschreven:
>>>>>
>>>>>> I have pretty much completely rewritten every bit of code related to
>>>>>> hostname verification in SVN trunk.
>>>>>>
>>>>>>
>>>>>> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>>>>>>
>>>>>> I would truly appreciate someone doing a peer review of the changes
>>>>>> and / or giving me feedback with regards to further improvements.
>>>>>
>>>>> Looks good. Couple of thoughts
>>>>>
>>>>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>>>>
>>>>> My guess is that longer term you will get too many specials - and the
>>>>> end game is parsing something like https://publicsuffix.org/ and
>>>>> specifically
>>>>>
>>>>> https://publicsuffix.org/list/effective_tld_names.dat
>>>>>
>>>> Folks
>>>>
>>>> It turns out that we already have a substantial amount of code for
>>>> publicsuffix.org support in our 'cookie' module. It was contributed by
>>>> Ortwin 'Odi' Glueck some while ago.
>>>>
>>>> I would like to enhance the existing implementation and also extend its
>>>> test coverage.
>>>>
>>>> There is a set of test scenarios distributed by Mozilla, which I would
>>>> like to re-use
>>>>
>>>>
>>>> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>>>>
>>>> It is distributed as Creative Commons zero copyright. We can incorporate
>>>> those test scenarios. Do we need to add attribution clause to our NOTICE
>>>> and Zero Copyright license to our LICENSE file?
>>>>
>>>> What do you think?
>>>
>>> The rule for adding stuff to NOTICE is here:
>>>
>>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>>
>>> What is the exact wording of the license used by Mozilla?
>>> Is there a URL for it?
>>>
>> The license can be found here:
>>
>> http://creativecommons.org/publicdomain/zero/1.0/
>
> I think it would be safer to add to NOTICE and LICENSE files
NOTICE is for _required_ attributions only.
NOTICE has to be passed on to downstream consumers so must be as short
as possible.
> regards
> asankha
>
> --
> Asankha C. Perera
> AdroitLogic, http://adroitlogic.org
>
> http://esbmagic.blogspot.com
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by "Asankha C. Perera" <as...@apache.org>.
On 08/29/2014 12:41 AM, Oleg Kalnichevski wrote:
> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
>>> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>>>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>>>>
>>>>> I have pretty much completely rewritten every bit of code related to
>>>>> hostname verification in SVN trunk.
>>>>>
>>>>> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>>>>>
>>>>> I would truly appreciate someone doing a peer review of the changes
>>>>> and / or giving me feedback with regards to further improvements.
>>>> Looks good. Couple of thoughts
>>>>
>>>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>>>
>>>> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>>>>
>>>> https://publicsuffix.org/list/effective_tld_names.dat
>>>>
>>> Folks
>>>
>>> It turns out that we already have a substantial amount of code for
>>> publicsuffix.org support in our 'cookie' module. It was contributed by
>>> Ortwin 'Odi' Glueck some while ago.
>>>
>>> I would like to enhance the existing implementation and also extend its
>>> test coverage.
>>>
>>> There is a set of test scenarios distributed by Mozilla, which I would
>>> like to re-use
>>>
>>> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>>>
>>> It is distributed as Creative Commons zero copyright. We can incorporate
>>> those test scenarios. Do we need to add attribution clause to our NOTICE
>>> and Zero Copyright license to our LICENSE file?
>>>
>>> What do you think?
>> The rule for adding stuff to NOTICE is here:
>>
>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>
>> What is the exact wording of the license used by Mozilla?
>> Is there a URL for it?
>>
> The license can be found here:
>
> http://creativecommons.org/publicdomain/zero/1.0/
I think it would be safer to add to NOTICE and LICENSE files
regards
asankha
--
Asankha C. Perera
AdroitLogic, http://adroitlogic.org
http://esbmagic.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577
postmortem
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
> On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
> > On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
> >> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
> >>
> >> > I have pretty much completely rewritten every bit of code related to
> >> > hostname verification in SVN trunk.
> >> >
> >> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
> >> >
> >> > I would truly appreciate someone doing a peer review of the changes
> >> > and / or giving me feedback with regards to further improvements.
> >>
> >> Looks good. Couple of thoughts
> >>
> >> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
> >>
> >> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
> >>
> >> https://publicsuffix.org/list/effective_tld_names.dat
> >>
> >
> > Folks
> >
> > It turns out that we already have a substantial amount of code for
> > publicsuffix.org support in our 'cookie' module. It was contributed by
> > Ortwin 'Odi' Glueck some while ago.
> >
> > I would like to enhance the existing implementation and also extend its
> > test coverage.
> >
> > There is a set of test scenarios distributed by Mozilla, which I would
> > like to re-use
> >
> > http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
> >
> > It is distributed as Creative Commons zero copyright. We can incorporate
> > those test scenarios. Do we need to add attribution clause to our NOTICE
> > and Zero Copyright license to our LICENSE file?
> >
> > What do you think?
>
> The rule for adding stuff to NOTICE is here:
>
> http://www.apache.org/legal/resolved.html#required-third-party-notices
>
> What is the exact wording of the license used by Mozilla?
> Is there a URL for it?
>
The license can be found here:
http://creativecommons.org/publicdomain/zero/1.0/
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Posted by sebb <se...@gmail.com>.
On 28 August 2014 10:20, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <ol...@apache.org> het volgende geschreven:
>>
>> > I have pretty much completely rewritten every bit of code related to
>> > hostname verification in SVN trunk.
>> >
>> > https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>> >
>> > I would truly appreciate someone doing a peer review of the changes
>> > and / or giving me feedback with regards to further improvements.
>>
>> Looks good. Couple of thoughts
>>
>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>
>> My guess is that longer term you will get too many specials - and the end game is parsing something like https://publicsuffix.org/ and specifically
>>
>> https://publicsuffix.org/list/effective_tld_names.dat
>>
>
> Folks
>
> It turns out that we already have a substantial amount of code for
> publicsuffix.org support in our 'cookie' module. It was contributed by
> Ortwin 'Odi' Glueck some while ago.
>
> I would like to enhance the existing implementation and also extend its
> test coverage.
>
> There is a set of test scenarios distributed by Mozilla, which I would
> like to re-use
>
> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>
> It is distributed as Creative Commons zero copyright. We can incorporate
> those test scenarios. Do we need to add attribution clause to our NOTICE
> and Zero Copyright license to our LICENSE file?
>
> What do you think?
The rule for adding stuff to NOTICE is here:
http://www.apache.org/legal/resolved.html#required-third-party-notices
What is the exact wording of the license used by Mozilla?
Is there a URL for it?
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org