hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [Legal] publicsuffix.org test data; was Re: CVE-2014-3577 postmortem
Date Thu, 28 Aug 2014 19:22:04 GMT
On 28 August 2014 20:18, Asankha C. Perera <asankha@apache.org> wrote:
> On 08/29/2014 12:41 AM, Oleg Kalnichevski wrote:
>>
>> On Thu, 2014-08-28 at 16:51 +0100, sebb wrote:
>>>
>>> On 28 August 2014 10:20, Oleg Kalnichevski <olegk@apache.org> wrote:
>>>>
>>>> On Thu, 2014-08-21 at 17:50 +0200, Dirk-Willem van Gulik wrote:
>>>>>
>>>>> Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <olegk@apache.org>
>>>>> het volgende geschreven:
>>>>>
>>>>>> I have pretty much completely rewritten every bit of code related
to
>>>>>> hostname verification in SVN trunk.
>>>>>>
>>>>>>
>>>>>> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
>>>>>>
>>>>>> I would truly appreciate someone doing a peer review of the changes
>>>>>> and / or giving me feedback with regards to further improvements.
>>>>>
>>>>> Looks good. Couple of thoughts
>>>>>
>>>>> - BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN
>>>>>
>>>>> My guess is that longer term you will get too many specials - and the
>>>>> end game is parsing something like https://publicsuffix.org/ and
>>>>> specifically
>>>>>
>>>>>        https://publicsuffix.org/list/effective_tld_names.dat
>>>>>
>>>> Folks
>>>>
>>>> It turns out that we already have a substantial amount of code for
>>>> publicsuffix.org support in our 'cookie' module. It was contributed by
>>>> Ortwin 'Odi' Glueck some while ago.
>>>>
>>>> I would like to enhance the existing implementation and also extend its
>>>> test coverage.
>>>>
>>>> There is a set of test scenarios distributed by Mozilla, which I would
>>>> like to re-use
>>>>
>>>>
>>>> http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/data/test_psl.txt?raw=1
>>>>
>>>> It is distributed as Creative Commons zero copyright. We can incorporate
>>>> those test scenarios. Do we need to add attribution clause to our NOTICE
>>>> and Zero Copyright license to our LICENSE file?
>>>>
>>>> What do you think?
>>>
>>> The rule for adding stuff to NOTICE is here:
>>>
>>> http://www.apache.org/legal/resolved.html#required-third-party-notices
>>>
>>> What is the exact wording of the license used by Mozilla?
>>> Is there a URL for it?
>>>
>> The license can be found here:
>>
>> http://creativecommons.org/publicdomain/zero/1.0/
>
> I think it would be safer to add to NOTICE and LICENSE files

NOTICE is for _required_ attributions only.
NOTICE has to be passed on to downstream consumers so must be as short
as possible.

> regards
> asankha
>
> --
> Asankha C. Perera
> AdroitLogic, http://adroitlogic.org
>
> http://esbmagic.blogspot.com
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message