libravatar-fans team mailing list archive

Thread
Date

Re: Issues with the API specification

To: libravatar-fans@xxxxxxxxxxxxxxxxxxx
From: Christian Weiske <cweiske@xxxxxxxxxx>
Date: Fri, 3 Aug 2012 06:40:10 +0200
In-reply-to: <20120802233015.GF10566@isafjordur.dyndns.org>

Hello Francois,


> > If it does not match "^[a-z0-9]+$", redirect to that supposed URL.
> > Done.
> Either that, or we have a register of allowed default URLs that
> third-party implementations can either support or ignore.

I'd like to have it in very generic way, without the need for central
registries - we're talking about federation here.

> > Which leads to another point: Do servers need to validate default
> > URIs?
> I'd say that servers shouldn't validate the URI, just redirect.

I favor that, too.


> > The use case for different modes ... maybe I've implemented a cool
> > new way to generate dynamic avatars, similar to monsterids - ponyid
> > for example. Do I want to wait for the libravatar spec to be
> > updated? This does not scale.
> Well, maybe, but I don't see the point of having those if you're the
> only implementation that does it?

Please remember we're talking about a specification here. I'm very glad
that the HTTP spec does not give us a list of allowed HTTP headers but
we're allowed to add our own.

Think about it in a similar way: Don't artificially limit what people
can do with the API. Limits are good, but in this case it seems silly
to me to limit it to 4 or 5 types supported by one software.

About the "you're the only implementation": I may be, but perhaps I'm a
company/community with thousands of users. Should I really have to
break the specification to get my pony avatars?

Then I blog about it and other avatar server admins like the idea and
install the pony plugin on their server. At once there are 100 servers
breaking the specification.

Please just provide the range "^[a-z0-9]+$", and tell people they may
do when they don't support the given default mode. Apart of "404", which
should be mandatory to implement.


> > What if SPDY gets more common? It's basically HTTPS over HTTP, so
> > even if you ask HTTP, you might get SPDY HTTPS.
> If I understand spdy correctly, I think you only get it when you ask
> for HTTPS. And the URL scheme is still "https". So I'm not sure we
> need to do anything at all to allow it.

I'd need to research that. But even if SPDY would be delivered via
http://, there is no way to determine if the client supports it, or
normal HTTP/HTTPS only. So my point is moot :)

So the spec should state that if the client wants https, and the server
does not offer it, libravatar MUST be asked via https.

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-

Attachment: signature.asc
Description: PGP signature

Follow ups

Re: Issues with the API specification
From: Francois Marier, 2012-08-04

References

Issues with the API specification
From: Christian Weiske, 2012-07-31
Re: Issues with the API specification
From: Francois Marier, 2012-08-01
Re: Issues with the API specification
From: Christian Weiske, 2012-08-01
Re: Issues with the API specification
From: Francois Marier, 2012-08-02