[Cbor] Re: I-D Action: draft-mcnally-deterministic-cbor-10.html

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 29 July 2024 15:19 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56996C169411 for <cbor@ietfa.amsl.com>; Mon, 29 Jul 2024 08:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0a_WoryOsYM for <cbor@ietfa.amsl.com>; Mon, 29 Jul 2024 08:19:23 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A124C1840DD for <cbor@ietf.org>; Mon, 29 Jul 2024 08:19:22 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a7a9185e1c0so333576266b.1 for <cbor@ietf.org>; Mon, 29 Jul 2024 08:19:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722266361; x=1722871161; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=pusR3teR9ApJfQVPj2LjaEIMgjhFfNvSLdNgXx1NHqk=; b=FnaPQQjTNK9vOr1X0NzmCI0kRvvefJBzngerOW+za0KRVFa6ZwtlLNDO/om3wpF6BJ qXoiH6SA9/wOF+HVnQ2PBVsEOXx1YV2Q4tlk13D2wRlYsJCmCDr6WFROGyw8jHeLKjU0 lUPap5/vpT99HZDQQJ4ewCteCK2/QIoFYWMdi0HGQVt7GIihceUOQESMMM+t0CV3wEdj FJKHt869V1FwMCSWSOfFYhm+Tcy6rP7wyYIgVr43SDtLDrGE8cmXxKFx1DNXGN1ZqaPV p9Lbdw9cq2zBrQo9uA+9kJfA9xl4j4NpPwmJwWE3zSx1L74nbSJXNDPF3u8cBxMubxJ8 leRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722266361; x=1722871161; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pusR3teR9ApJfQVPj2LjaEIMgjhFfNvSLdNgXx1NHqk=; b=vVU1P7rkTftkqmIdu8s/sHaHvsd/rQ4LZ0Vaqukqvx/Yw2XlUOuS//KYqJrorS1IFY ZDejx1MGH5RLMggd2lJAfRCu4w8PL4R66jYjT0dipSq+7zrzPyGtzTy2JOnby9lZlTfE ALeY10tpnWpWxM+Zc2ACZmhSt4yOlJYDQPMuawLWDnxRAQ92qUuczeSXI6zEcyX1/nTB yH53C8dwEDjzKj9CAPKlAEw+WuCcAy5n+nEosb2VJJLoP/N96Udt0J5fbYhSMGCu4azq r5K9xeEKyl9mNr70ZjK0sPWjLa11peA4BBXJWeMbETk/tsPQVRfFWlCIYAXqcNIKkh9Q sEZA==
X-Forwarded-Encrypted: i=1; AJvYcCUhT7Zj06Oj5tPCnKtrA9SCTSNlT7tulq2qeacBkaJOuP/T2l/A0CJzc7xV8jjsr6po8Iao6yYt7wlY9otk
X-Gm-Message-State: AOJu0YzVJovESSn2UWKaeg4tvwDJ26gxEWwH0ZKgaUPJWXUjMdN/CRfN CNlm/Gi9yF10ziynbtsiZ0U4uYc5l4rg6s3W7c0TViE5LakgBnIs
X-Google-Smtp-Source: AGHT+IEV92ecEmq2a6+xIx7S25qYjwen5+TkzPBwVREz3r9EIEQCG0Ty54nBVC2J5smXizOW0SS99w==
X-Received: by 2002:a17:906:dc95:b0:a6f:dc17:500a with SMTP id a640c23a62f3a-a7d400502d6mr637128066b.23.1722266360498; Mon, 29 Jul 2024 08:19:20 -0700 (PDT)
Received: from ?IPV6:2a01:e0a:e1b:64b0:70e0:e69e:21d2:66ca? ([2a01:e0a:e1b:64b0:70e0:e69e:21d2:66ca]) by smtp.googlemail.com with ESMTPSA id a640c23a62f3a-a7acad4146dsm519813866b.114.2024.07.29.08.19.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 29 Jul 2024 08:19:20 -0700 (PDT)
Message-ID: <41d100f8-e895-4091-aa96-b9e830bfa63b@gmail.com>
Date: Mon, 29 Jul 2024 17:19:17 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Joe Hildebrand <hildjj@cursive.net>
References: <a962e326-ab3f-4857-a1ee-2042cf87f32a@gmail.com> <F3E4450A-EA4B-437E-9C58-5DB3972A152C@island-resort.com> <6601a16c-2b2e-45b2-b4e8-7bd4ba136401@gmail.com> <ea6a35e1-18a7-4bea-8ff8-5249e1f26b71@gmail.com> <CAEBC446-7730-4473-AC93-7908ADCB78B4@wolfmcnally.com> <5a2b1212-200e-4c17-acdf-1278c4539531@gmail.com> <2BFB6C9E-62C5-4DB9-B289-D870B546EC26@cursive.net>
Content-Language: en-US
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <2BFB6C9E-62C5-4DB9-B289-D870B546EC26@cursive.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 6WII7LMSIQM43QUHPACCT5BGEIOIIAQE
X-Message-ID-Hash: 6WII7LMSIQM43QUHPACCT5BGEIOIIAQE
X-MailFrom: anders.rundgren.net@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cbor.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Wolf McNally <wolf@wolfmcnally.com>, CBOR <cbor@ietf.org>, Christopher Allen <christophera@lifewithalacrity.com>, Shannon Appelcline <shannon.appelcline@gmail.com>, Carsten Bormann <cabo@tzi.org>, Laurence Lundblade <lgl@island-resort.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Cbor] Re: I-D Action: draft-mcnally-deterministic-cbor-10.html
List-Id: "Concise Binary Object Representation (CBOR)" <cbor.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/rTbPV7nZhfhB3124pLiMVP02g7Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Owner: <mailto:cbor-owner@ietf.org>
List-Post: <mailto:cbor@ietf.org>
List-Subscribe: <mailto:cbor-join@ietf.org>
List-Unsubscribe: <mailto:cbor-leave@ietf.org>

On 2024-07-29 15:49, Joe Hildebrand wrote:
Hey Joe,
> I don't understand the message you linked to.

I simply pointed to another project with very different goals compared to dCBOR to in some way provide an explanation to why we do not agree.


> - CBOR subset: this seems like same kind of "breaking change" you accuse dCBOR of

The enterprise application profile is a strict CDE subset, dCBOR is not.  Is the subset too limited? As a JSON replacement it should be more than sufficient.


> - Encoding profile: I don't know your use case, but if you're not getting decoding errors from incorrectly-formatted CDE that is still valid CBOR, you're likely either going to have a security issue or not need determinism.

Invalid CDE would indeed be rejected.  My PoC implementations did that even before CDE was published.


> - I'm still not sold on bidirectional diagnostic notation, and have not planned on writing a parser for it, but I'm still thinking about that.  However, I don't see what it has to do with this discussion.

It is a core part of the mentioned project.  Config file support is the main attraction.


> - draft-rundgren-cotx doesn't bother me, aside from the usage of "URL" instead "URI" and no pointer to RFC 4151.  Using URLs as identifiers is fine until people start dereferencing them at runtime, which they ALWAYS seem to do for some reason.

This is beyond my control.  A big and growing part of the world seems to be OK with URLs as identifiers.  WHATWG do not appear to make a distinction between URLs and URIs: https://url.spec.whatwg.org/


> Saying that everyone should do it your one true way seems... omniscient on your part.

I'm rather saying that the enterprise application profile avoids edge cases like Numeric Reduction, NaN Payloads, 0.0 / -0.0 Map Key Equivalence, and Unicode Normalization.


> Tool develeopers by necessity think about application developers that are going to use their tools, or there won't be any application developers that use their tools.

Claiming that CDE and bCBOR are compatible because you can build what's missing on top of the respective implementations, is not something you would say to application developers.


> You're arguing that my tools are bad.  Please file an issue on GitHub.  I think I fixed the last one you filed.

Your tools are not bad, they are just different to mine.  As long as tools produce what they should, all is cool.

Anders


> 
> —
> Joe Hildebrand
> 
>> On Jul 29, 2024, at 8:40 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> On 2024-07-29 10:08, Wolf McNally wrote:
>>> Anders,
>>> I don’t hear anyone here agreeing with you.
>>
>> Hi Wolf,
>>
>> You are 100% correct but it might have an another explanation than you think: the "WG" (You, Carsten, Laurence, Joe, ?), is focusing on *Tool* developers*.
>>
>> I obviously do not: https://mailarchive.ietf.org/arch/msg/cbor/PFZXSxyvQ7zG6Cj6QmzHd-_K52g/
>>
>> However, targeting the bulk of *Application* developers, indeed makes interoperability the #1 concern.
>>
>> Anders
>>
>>
>>
>>> Not this time, or the last ten times you’ve repeated yourself.
>>> You might want to consider the reasons for that.
>>> (And I definitely call on anyone else here who does agree with you to speak up.)
>>> There are no “breaking changes” in dCBOR.
>>> dCBOR can be decoded with any CBOR (or CDE) decoder.
>>> dCBOR can be encoded with any CBOR (or CDE) encoder.
>>> It won’t be super easy, but you can do it.
>>> That means that dCBOR is interoperable *enough*.
>>> But interoperability is *not the point.*
>>> If CBOR were all about “interoperability” then you could use a CBOR decoder to read a JPEG.
>>> But you can’t do that. Does that mean CBOR is “broken”?
>>> No.
>>> Because the purpose of CBOR is not to be interoperable with everything, or indeed *anything* except CBOR.
>>> And it is not the purpose of dCBOR to be interoperable with anything except dCBOR.
>>> “All dCBOR is CBOR, but not all CBOR is dCBOR.”
>>> “All JPEGs are binary files, but not all binary files are JPEGs.”
>>> See the pattern?
>>> CBOR floating point '2.0' is *not* dCBOR and never will be.
>>> So if you encode CBOR '2.0' and send it to a dCBOR decoder, it *will* be rejected.
>>> That’s not a “breaking change”.
>>> And if you present ‘2.0’ to a dCBOR encoder, then it will be encoded as an integer '2'.
>>> You simply *can’t* encode '2.0' with a strict dCBOR encoder.
>>> But that is *also* not a “breaking change”.
>>> Not what you want? Don’t use dCBOR.
>>> Interoperability is great. But it's *not* the be-all-and-end-all of standards.
>>> dCBOR is not *about* interoperability.
>>> It’s about *takes deep breath*…
>>> …DETERMINISM.
>>> ~ Wolf
>>>> On Jul 28, 2024, at 10:47 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>>>
>>>> Hello WG,
>>>>
>>>> You may think I'm repeating myself and to some extent I do.  However, this posting is about INTEROPERABILITY which is one of the pillars of standards.
>>>>
>>>>
>>>> Since dCBOR introduces a BREAKING change [1] with respect to its parent profile (CDE), I felt inclined commenting a bit on the actual draft.
>>>>
>>>> IMO, a revised draft should be fitted with an *Interoperability Section*, giving potential application developers a "heads up" on what to expect: CDE and dCBOR are incompatible at the application level [2].
>>>>
>>>> The primary source of the incompatibility is the reliance on numeric reduction.  According to the draft the integer value 2 and the floating point value 2.0 are "semantically equivalent".  This seems like a stretch since floating point numbers and integers have quite different characteristics with respect to math and value ranges, which also make them having pretty distinct use cases.  In addition, the draft alludes that numeric reduction better matches the requirements for deterministic representation of numbers.
>>>>
>>>> Anders
>>>>
>>>> 1] Although the draft claims that dCBOR is not a "fork" since it maintains compatibility with CBOR [RFC 8949], the reality (the only thing that matters for application developers), is that the referenced decoder implementations [rightfully] reject 2.0 if encoded as CDE.  In the other direction, CDE-compliant decoder implementations and associated applications like https://github.com/cyberphone/CBOR.js/blob/main/test/xyz-decoder.js#L20 would equally rightfully balk at 2.0 encoded according to dCBOR.
>>>>
>>
>