Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There are Several "Canonical JSON" Standards #430

Open
cedricvanrompay-datadog opened this issue Jan 12, 2023 · 1 comment
Open

There are Several "Canonical JSON" Standards #430

cedricvanrompay-datadog opened this issue Jan 12, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@cedricvanrompay-datadog
Copy link

Section 1.i ("The bundle.json File") states:

The bundle.json file is a representation of bundle metadata. It MUST be represented as Canonical JSON. While Canonical JSON is parseable by any JSON parser, its serialized form is consistent. This is a necessity when comparing two textual representations of the same data (such as when hashing).

The link for "Canonical JSON" points to http://wiki.laptop.org/go/Canonical_JSON. However this "Canonical JSON specification" is the not the only one. In particular, RFC 8785 JSON Canonicalization Scheme (JCS) is another "Canonical JSON" specification that's gaining popularity.

The two specifications may have subtle incompatibilities, typically when it comes to the serialization of unicode strings and floating-point numbers.

You may want to insist on exactly which "Canonical JSON" specification you are refering to to avoid subtle incompatibility issues between various CNAB tools.

For instance, CNAB-Go, which seems to be the "reference implementation" uses the github.com/cyberphone/json-canonicalization package, which implements RFC 8785, which is not the spec linked to in the CNAB spec.

One example of a Go package declaring to be compatible with http://wiki.laptop.org/go/Canonical_JSON is https://github.com/secure-systems-lab/go-securesystemslib/cjson.

I would suggest to

  • either use a package in CNAB-Go that implements http://wiki.laptop.org/go/Canonical_JSON or to point to RFC 8785 in the specification
  • add a warning in the specification about the existence of several "Canonical JSON" standards that are not exactly the same
  • insists in the specification on which "Canonical JSON" standard the CNAB format uses
  • reach out to the maintainers of all known implementations of CNAB to make sure they all use the same "Canonical JSON" standard
@carolynvs
Copy link
Contributor

The spec originally linked to http://wiki.laptop.org/go/Canonical_JSON but later we realized that it didn't work well for what we needed so we switched to RFC 8785 in PR #414.

Thank you for raising that we forgot to update the link to canonical json at the same time. If you'd like to submit a PR to fix the link and add a note about which specific canonical json we are following, it would be welcome!

For Porter, we use RFC 8785 (since cnab-go is a dependency). What are you using at DataDog?

@carolynvs carolynvs added the bug Something isn't working label Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carolynvs @cedricvanrompay-datadog