Re: Declarative HTTP Spec Test Suite

Willy Tarreau <w@1wt.eu> Tue, 28 May 2024 03:51 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D37C15153F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 May 2024 20:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="n7ZKhtPr"; dkim=pass (2048-bit key) header.d=w3.org header.b="XIternzi"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zt76DrM1Wvl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 27 May 2024 20:51:27 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F305C14F69A for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 27 May 2024 20:51:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Cc:To:From:Date:Reply-To; bh=FxtkAE+ISVW7obb55ZWa6h74LiPH9vnjIqhh3HQ7p0w=; b= n7ZKhtPr9zjP6deYbkaVCLaSl/8QqmWjBTfQ94Irc3F1TZNgGma1xbBg7csmpMxgVpyPsG/f7EIvW IspS/Gt+TagP/20J7z34X9vhSTEceGwvzQrTFbQIevKrVtsjpLsmFwgExu+V3NbW8lYGHsvUGPN8O IiNG04cjLlRh8I0nGJyXJVh+dW5LUpwI9aDq3Z/6HLyLZlhZ8zqAZpfshDX8hI4NgXnrvewpsjeHv wWwocUlfSbsxQuAU5XWyd5e2UiJlKBkO+YjJEEy6BbaO+p7OyBcRuF+6Jh8XHPto8RX6u+6Q4a4Gj ztjTuJisZPtiOUR1KI95nIxuNNCZtFR3aQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sBnr6-00DwPs-0G for ietf-http-wg-dist@listhub.w3.org; Tue, 28 May 2024 03:50:32 +0000
Resent-Date: Tue, 28 May 2024 03:50:32 +0000
Resent-Message-Id: <E1sBnr6-00DwPs-0G@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <w@1wt.eu>) id 1sBnr3-00DwOw-0u for ietf-http-wg@listhub.w3.internal; Tue, 28 May 2024 03:50:29 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject: Cc:To:From:Date:Reply-To; bh=FxtkAE+ISVW7obb55ZWa6h74LiPH9vnjIqhh3HQ7p0w=; t=1716868229; x=1717732229; b=XIternzieyiNMo009vbIUASpmJIvc4N9+yLCpAl43UeySdS FubcY/sjGXQIW4fQ2bQ61FU4mlUsnjpEKS5Pq+YaYtJxjCBe6Ooxv82J3dpv6UiN7QgJy/qIuRI0n UWbDH/nLGm/k3K/htAdsecmGH5irgIR+J7jg3uJAD8MnAGsIhJ0aCbZh6TEy/qCdIC/uK8tWY4lgx xHB+cWRnRMaRMuS9uE138EmNVByJsyHM+5o756ZAgnqZkeG42PHFRjid1DEegzI4oTISw66zskMaT bC4ZhCEwfSxKIIbEW38ThBDVhyCqlMhGdwg/nRHX5CTrjBCnKfgEuzlRdXo1VecA==;
Received-SPF: pass (pan.w3.org: domain of 1wt.eu designates 163.172.96.212 as permitted sender) client-ip=163.172.96.212; envelope-from=w@1wt.eu; helo=1wt.eu;
Received: from ded1.1wt.eu ([163.172.96.212] helo=1wt.eu) by pan.w3.org with esmtp (Exim 4.96) (envelope-from <w@1wt.eu>) id 1sBnr2-008f89-0n for ietf-http-wg@w3.org; Tue, 28 May 2024 03:50:29 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 44S3oKJk031826; Tue, 28 May 2024 05:50:20 +0200
Date: Tue, 28 May 2024 05:50:20 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
Cc: Daniel Stenberg <daniel@haxx.se>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20240528035020.GA31773@1wt.eu>
References: <tPxvQGS7_bxKqrFish00m9LtTT_JQfE0RU1bthEcxYNTZR_uzbkEWKNOTg9c5azoZSYuDWt9pLCiS7Kd4nIWK8DPN1sOtcgbDGx4L7BeeU4=@caffeinatedwonders.com> <6758o6r-8962-5nnq-q18p-59o7q9177rno@unkk.fr> <1FXVFW5A0xCTs9rXwXRVdjbxq-JtXQZhX50amFR4sWpwe_UaYxrswkQGsq5FD-WzmN0jdaCNEiGnzp6ToBS3HQz1CP9H99LZXiXzQqhJwH4=@caffeinatedwonders.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1FXVFW5A0xCTs9rXwXRVdjbxq-JtXQZhX50amFR4sWpwe_UaYxrswkQGsq5FD-WzmN0jdaCNEiGnzp6ToBS3HQz1CP9H99LZXiXzQqhJwH4=@caffeinatedwonders.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_MISSING=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1sBnr2-008f89-0n d2d335e541f595f38d5a96e2ac0c31e2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Declarative HTTP Spec Test Suite
Archived-At: <https://www.w3.org/mid/20240528035020.GA31773@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51974
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, May 27, 2024 at 11:13:05PM +0000, Mohammed Al Sahaf wrote:
> > It is not really in curl's interest to reach a highscore in a compliance test
> > if that means that it interoperates less good. curl is not a HTTP compliance
> > meter, it is an internet transfer tool and library.
> > 
> > This said, we of course want to comply as far as possible, but whenever there
> > is a fork in the road, the decision might not always be to go with the
> > strictest language in the most recent RFC. I'm also sure we can find downright
> > bugs or just protocol silliness even in curl's implementation.
> >
> > Also, as has been discussed numerous times: the HTTP RFCs mostly describe how
> > things should work and how to behave, not how to act when the other side does
> > the wrong thing or how to fail etc.
> 
> Clear, and that's sensible and pragmatic. The goal is to find where the
> implementations disagree, identify the gaps, and perhaps retrofit the fixes
> into the protocol definition. I believe it'll be valuable to know the
> situations of "This is where X differs from {the rest, RFC}". Maybe it's a
> bug in the implementation. Maybe it's not an oversight, rather the devs have
> a good reason for sidestepping that part of the spec. Maybe it's a bug in the
> spec. What I hope to achieve with this is to shine a spotlight on the various
> implementations to find those dark corners.

In practice, for most of the multi-decades old implementations, there are
users who take a long time to fix their local components, and the non-
compliance is often dictated by usage. A lot of the rules in the specs
come from feedback from such implementations who are at least seeking a
new rule in the spec to have something to present the next time a user
insists that the tool is wrong (because that happens a lot). It can take
from 5 to 10 years to deprecate some non-compliant behavior, and I'm sure
that most of the derivations from the spec are caused by one user's request
for being less strict regarding their old application.

There's indeed the rest, bug and/or accidental non-compliance, but we're
all extremely cautious when trying to fix that because whatever works by
accident might be a feature for some users. For example, I'm pretty sure
that if you find a non-compliant behavior in haproxy and one in varnish
where both disagree, it will be very hard to reconciliate them because
each one will either have a different history justifying its existence,
or some suspicion that some user might possibly rely on it.

There are lots of things that should "just work" but they're based on
common sense and not necessarily explicitly written in the spec, because
they derive from more general rules. Generally what should "just work"
does work fine for common components that have been exposed to the net
for a decade or more. And there's limited willingness to break what is
not compliant but used to work. So it seems to me that the value for
the working group would be limited anyway, it's only up to each
implementation to decide how to act on non-compliant behaviors.

With that said, having a common collection of tests to run on compatible
implementations can be useful, it will simply not be easy to adopt by
everyone. Also, testing clients is very difficult because contrary to
servers which just have to respond to sollicitations, someone has to act
on the client to run the desired tests, so the approach is different
(and different between various clients), and I'm not convinced that a
same test collection would work for all implementations due to this.

Regards,
Willy