Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Preload common JSON-LD contexts #9412
referenced this pull request
Dec 2, 2018
OK, I've read the problem description. Thoughts:
Context is not neccessary for HTTP signatures, so why is federation broken when the context is unavailable, even though only linked data signatures should be broken? We should contain that error within that functionality, and make sure it doesn't break everything.
I have originally replaced the preloads with a cache mechanism because there is no guarantee that an incoming document will use any of the preloaded contexts, which would mean an arbitrary HTTP request. The preloads are a false sense of security in a way. Perhaps even more importantly, using cache instead of preloads allows even older instances to understand signatures from newer instances if the context has changed. However, I can't deny that currently things are bad because we don't have preloads as a fallback anymore.
@Gargron yes, we could decouple those two things (signing the payload, and sending a potentially unsigned payload), but I don't think there is much sense in that if we can make sure signing the payload is always ok.
My commit doesn't remove the loading and caching of unknown remote contexts. I don't think such “core” contexts are supposed to change, are they? Also, I think preloading them has performances advantages over re-parsing and re-loading them from cache.
@Gargron i agree, but we should get this fix out urgently and then work on making LDsigs fail-fast later.
contexts are assumed to be mutable by default, although i believe w3c does provide versioned activitystreams contexts now.