Stream: warg

Topic: Relative content URLs

view this post on Zulip Lann Martin (Jul 24 2023 at 18:52):

This PR makes an API change that hasn't been discussed: allowing relative URLs as upload endpoints. This is convenient for the implementation as it could avoid the need to specify a content base URL in the simplest deployment scenarios.

Update missing content API by lann · Pull Request #167 · bytecodealliance/registry
This implements the proposal here: #160 It adapts some of #137. Notably it does not add a "patch record" operation as I think that conflicts with #146. I also fell down a bit of a rabbit hole to al...

view this post on Zulip Lann Martin (Jul 24 2023 at 18:53):

  1. Any concerns with using relative URLs like this?
  2. Should these be allowed in download URLs as well (seems clear to me if 1 is OK)?

view this post on Zulip Robin Brown (Jul 24 2023 at 18:58):

I guess since everything has checksums, the security concerns are pretty minor.
It's possible that a client might try to resolve a URL that came from an upstream repo against the downstream registry's origin, which isn't a security problem because they need to validate the hash anyway but could cause some instability in poorly-written clients or clients that aren't yet fully federation-aware.

view this post on Zulip Lann Martin (Jul 24 2023 at 19:00):

I think a (shallow) mirror would need to rewrite relative URLs, which is definitely an argument against allowing them.

view this post on Zulip Robin Brown (Jul 24 2023 at 21:37):

Allowing relative URLs or allowing shallow mirroring?

view this post on Zulip Lann Martin (Jul 24 2023 at 21:47):

relative URLs

Last updated: Nov 22 2024 at 17:03 UTC