-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow publication of documents with HTTPS
current/previous version links.
#282
Comments
Ping? ~2 weeks ago, @plehegar suggested the following in """ Implementing either of those suggestions would preclude the current behavior of outright rejecting links to |
We're making progress but still have some issues: we're looking at implications in tr.rdf and the w3c api. I think we can do 1 or 2 as I proposed on irc but before we can do it, we have to figure how to represent that in the data, not just the document, otherwise we'll break tools like specref. |
Let's imagine that HTML 5.1 gets published in June, July and August 2016 HTML document published in /TR June 2016 document:
July 2016 document:
August 2016 document:
tr.rdf representation of those documents:
w3c api: Before the switch:
After the switch: we can't represent the equivalence between
|
I circulated the proposal internally and didn't get pushback. So, my next step is to send the proposal to spec-prod and chairs. I ought to get to this this week. If you don't see anything from him, feel free to poke me in the eye until I do it. |
Proposal was sent to spec-prod: |
ReSpec has a PR in waiting to support this. |
@plehegar: Can you update the status here? I see that there's been some discussion on that thread, but the conclusion isn't at all clear to me. This blocked @estark37 from publishing a draft earlier in the week, and I can only imagine that it's biting other folks as well, given that HTTPS is fairly accepted as best practice. |
I'm also waiting on an Ok to merge in ReSpec from @plehegar: I'm worried that if I merge Echinda and PubRules will cry because of the new URLs. |
I need to catch up with Tobie. As far as we know, he is the long pole at the moment in making the switch. If we can get specref.org to digest the https switch, then we're good to go. If we can't, they doing the switch means that we would break specref, and breaks respec and bikeshed subsequently. See also |
@tobie: What can we do to help out? Has anything happened since your comments on that thread a month ago? |
To be fair with @tobie, I didn't follow up well enough with him. Part is because I got confused what he was asking for. The only way to create data before the switch is to create fake data as far as I know and he was pushing back on this idea. |
My initial request was for a grace period during which both https and http would coexist so as to give me enough time to figure out what impact the change had. If that's impossible to provide, the other option is to run a frozen version of Specref until I figure out the consequences of these changes. That later solution does imply, however, that Specref will be out of date for a while. And given I work on this on my free time, and will be OoO for part of the summer, I can't really commit to a date at which I can do the transition. Frankly, specref code isn't the highest quality software available, and while the transition could literally take less than 2 hours, it might also be much more painful than that; I had to backpedal out of a PR recently because it broke things in weird and unexpected ways. I wouldn't be surprised finding lots of similar issues here. |
If it would be of help, I'm available next week to assist in whatever way I can. I don't fully understand the problem at this point, but happy to set time aside to see if we can come up with a strategy or try some things.
|
Me neither. That's precisely the problem. |
which part of the problem is obscure? I tried to be as precise as possible in how the change would be implemented. I'm happy to clarify things if it helps. |
How Specref will react to these changes is what's obscure. |
so, do we know what to do here? As far as I can tell, W3C can either switch to https and break specref.org (and bikeshed and respec as a consequence), or we should delay the switch until a solution for specref.org is found... |
Well, as I said, if the preferred solution of publishing the new (https-aware) rdf file in parallel with the old one isn't possible, the next best solution is for me to freeze specref updates until I figure out how to handle the new rdf format. |
What I need for this 2nd solution is a schedule + ideally an on-call person on your side so we can fix possible rdf bugs quickly. |
[Tobie and I caught up on irc] Here is the solution to do the switch sooner rather than later: if we can't do the solution above, we're probably looking at moving the switch to August 1st instead. |
Any news? /cc @deniak |
Sounds good. By new RDF, do you mean the one containing https links or the current one on a new URL? |
@tobie you can find the experimental rdf at https://www.w3.org/2002/01/tr-automation/tr-https.rdf. For testing purpose, I only moved the specs published after May 31 to https. |
Moving earlier discussions on GH:
|
Thanks for moving the conversation on a public forum. Much appreciated.
OK. I'm not sure I'm following. Couple of questions:
|
For context, here, I take a pragmatic approach to this issue, not a (technically pure) semweb one. As far as I'm concerned, the content on both http and https versions of the spec should be the same (with the possible exception of internal links which might have matching protocols for absolute URLs). So Specref internals will consider it as such (that's what I have to fix, basically, to make sure that URL-based comparisons are protocol-agnostic). Ultimately, I'd like Specref to expose https URLs for all W3C specs regardless of when said specs will have been published. I feel like this publish-date-based role-out of https is strange and potentially prone to creating issues over a substantial amount of time. So I have two follow-up questions:
|
To answer your questions, all the specs under /TR are and will remain available on http and https. This is the case since our recent HSTS support. You will be redirected only if your browser supports HSTS/CSP. Now, the problem is how to represent the data and make everyone happy. We cannot simply update all the URIs to https even if that's what the user actually sees if he's using a recent browser. Take a look at that blog post @philarcher1 wrote to explain why we can't just update the scheme. |
I'm kind of confused. @philarcher1's post you link above explicitly says W3C is treating resources on www.w3.org as identical regardless of their protocol:
So I guess I don't understand why you're not switching all of the URLs within the APIs to https. (Note I'm not suggesting you actually modify the specs themselves.) |
Note this link requires a member account. |
The blog post suggests to keep using http:
On the other hand, some editors are pushing towards https (topic of that issue) so we need to find a way to make both worlds happy. |
Oups, sorry. You can find the public post there: https://www.w3.org/blog/news/archives/5263 |
So one one hand, you have people arguing to use http and have the server/browser combo upgrade to https if they can, and on the other, you have people pushing for https everywhere. I get how that's an unfortunate position to be in. But I'm not sure how your solution to let https trickle down is going to make both worlds happy (I'm pretty sure it's going to piss off everyone instead 😃 ). |
Just rolled-out a brute force solution to Specref (tobie/specref#286). Let's see if it works or if I have to roll everything back. If it does, you can consider the Specref blocker resolved. |
OK, Specref seems to be working properly so far serving only https links for W3C specs, so we should pretty much be good on the Specref side at this point. |
Woot woot! |
From my POV, the key thing is that the original http URIs still work. The underlying issue is persistence of identifiers. No doubt this Thanks for taking this seriously, Phil. On 21/06/2016 10:56, Marcos Cáceres wrote:
Phil Archer http://philarcher.org |
Thank you @tobie! @deniak, @plehegar, et al: When you remove the requirement that "This version" and "Previous Version" links be insecure, could you also allow HTTPS for the following:
I can also file separate bugs for those, if that would be helpful. :) |
For the 3 points above, this is inline with the proposal. We will even make https a requirement.
Regarding the WG homepage link, it's a bit tricky. Specberus checks that link against what's listed on https://www.w3.org/Member/Mail. As you can see, some WGs still have their homepage under http. |
Starting from Aug 1, 2016, specberus requires https links. |
Thank you. :) |
As a tiny, tiny step towards #145, it would be lovely to allow publications of documents whose "This version:" and "Previous version:" links are HTTPS as opposed to HTTP.
The text was updated successfully, but these errors were encountered: