[Spice-devel] [PATCH spice-protocol] Add Spice URI Scheme document

Christophe Fergeau cfergeau at redhat.com
Tue Jan 8 13:51:47 UTC 2019


On Tue, Jan 08, 2019 at 04:40:47PM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Tue, Jan 8, 2019 at 4:24 PM Christophe Fergeau <cfergeau at redhat.com> wrote:
> >
> > On Wed, Dec 19, 2018 at 06:33:59PM +0400, marcandre.lureau at redhat.com wrote:
> > > +URI Parameters
> > > +--------------
> > > +
> > > +A description of host information and URI parameters is provided in
> > > +this section.  Information on the constraints of various data types is
> > > +provided in Section "Data Types".  All parameters are considered optional;
> > > +however, a client will not be able to connect without sufficient
> > > +information.
> > > +
> > > +A parameter without a specified default value indicates that no
> > > +default value is implied by this URI scheme; however, Spice clients
> > > +can apply implementation-dependent default behaviors otherwise
> > > +consistent with this document.
> > > +
> > > +The <userinfo> value is deprecated and processed only in an
> > > +implementation-specific manner.  The <userinfo> component MUST NOT be
> > > +generated in an environment where a client supporting an updated URI
> > > +format is expected to be available.
> >
> > I don't think we should deprecate userinfo now, this is coming from the
> 
> Rationale? in spice-gtk there is a warning if you make use of it:
>              g_warning("password may be visible in process listings");

'userinfo' is username + password, I don't think we want to forbid
usernames in the URI, nor to deprecated that. Also, my understanding
from the VNC URI spec is that it's deprecated because there are
VncUsername/VncPassword replacements. In our case we don't have these.

Regarding that warning that you mention, this is for a very specific use
case, passing a URI on the command line. This document is more generic
than that, the URI with the password could be entered in a gtk text
entry, with some smartness to replace the password characters with * or
things like that, so typing the password as part of the URI is not
always terribly insecure.

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20190108/008d4e1e/attachment.sig>


More information about the Spice-devel mailing list