On 15/06/2017 08:20, Joel M. Halpern wrote:
...
I would be very unhappy to see us take the lesson from cases where we
were sloppy to be that we should tell everyone to have their
implementations break at the slightest error.
Indeed. We need implementations to be as robust as possible. That
means careful thought, both in the specification and in every
implementation, about how to handle malformed incoming messages.
There's no single correct answer, as I am certain Jon would have
agreed. Some types of malformation should simply be ignored,
because the rest of the message is valid. Others should cause the
message to be discarded, or should cause an error response to be
sent back, or should cause the error to be logged or reported to
the user. There is no single correct solution.
Clearly the Postel principle was intended as general guidance.
Looking at the core of the draft:
Protocol designs and implementations should fail noisily in
response to bad or undefined inputs.
that seems a very reasonable principle for *prototype* and
*experimental* implementations, and a lousy one for production
code, where the response to malformed messages should be much
more nuanced; and the users will prefer the Postel principle
as a fallback.
Brian