[Mailman-Developers] Re: subscription confirmations

"Jürgen A. Erhard" juergen.erhard@gmx.net
Fri, 20 Jul 2001 05:40:22 +0200

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

>>>>> "Gerald" =3D=3D Gerald Oskoboiny <gerald@impressive.net> writes:

Mind if I chime in?  (Even though you posted an EOT, Chuq).

    >> [...] I'd argue that the standard provides a false sense of
    >> security [...]

[Sorry for the butchering, Chuq, but I want to emphasize the conflict
that I see...]

    Gerald> 9.1.1 Safe Methods

    Gerald>     [...]

    Gerald>     In particular, the convention has been established
    Gerald>     that the GET and HEAD methods SHOULD NOT have the
    Gerald>     significance of taking an action other than
    Gerald>     retrieval. These methods ought to be considered
    Gerald>     "safe".  This allows user agents to represent other
    Gerald>     methods, such as POST, PUT and DELETE, in a special
    Gerald>     way, so that the user is made aware of the fact that a
    Gerald>     possibly unsafe action is being requested.

So people will have their browser mark these links in a special way
(is any browser actually doing that?).

*That* is the false sense of security Chuq mentioned.  (I think ;-)

"This link is a safe link, because my browser tells me so".  A fat lot
of good that will do them.

(BTW: anyone realize that it's "SHOULD NOT" and not "MUST NOT"?  Read
RFC2119 and you'll see how this is relevant to *this* mailman
discussion (yes, I've seen Barry's BDFL pronouncement... I just like
to argue and debate ;-))

    Gerald>     The important distinction here is that the user did
    Gerald>     not request the side-effects, so therefore cannot be
    Gerald>     held accountable for them.

    Gerald>     -- http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#se=

Yay!  I didn't know the HTTP standards body wrote law.  Or has RFC2616
been passed by the House?  And been confirmed by the Senate?  (Or is
it the other way 'round?)

    Gerald> but once all that's been said, it's really up to the
    Gerald> implementations to do the right thing.

And then we'll have the old and beloved game of "passing the buck".
"Me?  But my browser showed me the link was safe!"  "Us?  We just
implemented the standard!".  "Us?  Ooops..."  ;-)

    >> No, but it can cause actions you'll regret. You started this by
    >> bringing up one as a problem. Now, however, you're saying
    >> "well, that's no big deal".

As you can see above, Chuq, apparently RFC2616 contains new law saying
that whatever that link did is "Not Your Fault" (The Browser Made Me
Do It!)  (Hey, Barry, I've got a song idea: "Not My Fault -- The
Browser Made Me Do It (The RFC2616 Blues)" ;-)

Bye, J

PS: This is a resend, because the first mail out went to Chuq
only... I screwed up the To header.

 J=FCrgen A. Erhard  (juergen.erhard@gmx.net, jae@users.sourceforge.net)
          My WebHome: http://members.tripod.com/Juergen_Erhard
        GIMP - Image Manipulation Program (http://www.gimp.org)
          Codito, ergo sum - I code, therefore I am -- Raster

Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org