[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ERROR verb (was: Re: well-formedness error)

To: Mark Baker <distobj@xxxxxxx>
Subject: Re: ERROR verb (was: Re: well-formedness error)
From: Robert Sayre <mint@xxxxxxxxxxxxxxx>
Date: Sun, 20 Jun 2004 13:36:16 -0400
Cc: Atom Syntax <atom-syntax@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
Sender: owner-atom-syntax@xxxxxxxxxxxx
User-agent: Microsoft-Entourage/10.1.0.2006

On 6/20/04 12:35 PM, "Mark Baker" <distobj@xxxxxxx> wrote:

> Though it's well intentioned, I think this type of service is certain to
> be abused.  That doesn't mean that we can't make a go of it, but I think
> there's a lot more work to do to make that happen, and going only part
> way is probably asking for trouble.

Participation is opt-in for all parties. If the ErrorURI is so abused that
it becomes useless, people will drop it, and we can drop it from a future
version of Atom.

> Here's some possible problems that I can forsee;
> 
> - intentional bombardment; akin to mailbombing

Isn't every resource on the web vulnerable to this? There would seem to be
far more tempting targets.

> - unintentional bombardment; a very popular feed sends out some bad
> Atom, and gets nailed by 1000s of do-good aggregators

I want to revise the Pace to remove any suggestion that the ErrorURI request
should be automatic. I'd prefer that end-user aggregator applications do
something similar to RSS Bandit, where the errors are listed in a separate
area. Currently, RSS Bandit suggests that the user email the producer.
PaceServiceError would add the capability to ping the ErrorURI.

Servers may start to return 410 for an ErrorURI at any time. Hopefully,
caching servers will catch on and lighten the load.

> - lying; an attacker grabs your good Atom, tweaks it to be bad Atom,
> then sends an error report to you

Note that PaceServiceError sends no information about the nature of the
error. The idea is not for people to read reports and error messages, but to
analyze the log in relation to versions of their feed and the output of a
validator. There will be noise, just as there is with any log file.

Also, there's nothing stopping someone from presenting ErrorURI information
to authenticated users only, or requiring authentication for the ErrorURI.

> - if error reports are presented on a publically accessible web page,
> prepare for "error spam"

Well, yeah. People suck.

Robert Sayre

References:
- Re: ERROR verb (was: Re: well-formedness error)
  - From: Mark Baker

Prev by Date: Re: ERROR verb (was: Re: well-formedness error)
Next by Date: PaceErrVerb
Previous by thread: Re: ERROR verb
Next by thread: Re: well-formedness error
Index(es):
- Date
- Thread