[
https://issues.apache.org/jira/browse/TINKERPOP-2682?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17485618#comment-17485618
]
ASF GitHub Bot commented on TINKERPOP-2682:
-------------------------------------------
FlorianHockmann commented on a change in pull request #1559:
URL: https://github.com/apache/tinkerpop/pull/1559#discussion_r797348586
##########
File path: gremlin-dotnet/src/Gremlin.Net/Gremlin.Net.csproj
##########
@@ -67,14 +67,19 @@ NOTE that versions suffixed with "-rc" are considered
release candidates (i.e. p
<RepositoryUrl>https://github.com/apache/tinkerpop</RepositoryUrl>
<PublishRepositoryUrl>true</PublishRepositoryUrl>
<AllowedOutputExtensionsInPackageBuildOutputFolder>$(AllowedOutputExtensionsInPackageBuildOutputFolder);.pdb</AllowedOutputExtensionsInPackageBuildOutputFolder>
+ <EnablePackageValidation>true</EnablePackageValidation>
+ <PackageValidationBaselineVersion>3.5.2</PackageValidationBaselineVersion>
Review comment:
When merging this to `master`, we'll have to see whether we already have
additional breaking changes there. Then we can decide whether we want to change
the baseline version there to `3.6.0` (as soon as that's released) to only
check for breaking changes within the 3.6 line or keep it as is to check for
breaking changes also between 3.6 and 3.5.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
> Enable WebSocket compression in .NET by default
> -----------------------------------------------
>
> Key: TINKERPOP-2682
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2682
> Project: TinkerPop
> Issue Type: Improvement
> Components: dotnet
> Affects Versions: 3.5.1
> Reporter: Florian Hockmann
> Assignee: Florian Hockmann
> Priority: Minor
>
> .NET 6 added support for WebSocket compression to .NET:
> [https://devblogs.microsoft.com/dotnet/announcing-net-6/#websocket-compression]
> Users can already enable that by themselves as it has been added as a
> property {{DangerousDeflate}} to the {{ClientWebSocketOptions}} which can be
> configured via the {{webSocketConfiguration}} of the {{GremlinClient}}
> constructor in Gremlin.Net.
> Since we have enabled compression by default in Python and Java, it makes
> sense to also enable it by default in .NET. We can of course only do that for
> .NET 6 which is why we'll have to add that as an additional target framework
> to Gremlin.Net.
> The .NET 6 announcement mentions that WebSocket compression together with
> encrypted content is susceptible to attacks like CRIME and BREACH that can
> reveal the encrypted content if an attacker is able to control data that is
> sent together with the encrypted content over the same WebSocket connection.
> That is why the property to enable compression is called
> {_}Dangerous{_}Deflate and why compression can also be disabled on a
> per-message basis
> ([source|https://github.com/dotnet/runtime/issues/31088#issuecomment-804359919]).
> I suggest we can account for these possible attacks by disabling compression
> for the authentication messages we send to the server which contain
> credentials and by adding a note to the docs about this with a recommendation
> to disable compression if an application needs to send sensitive data, but
> also data controlled by (potentially untrusted) users to the server.
> Since the attacker additionally needs to be able to monitor the network
> traffic between the client and the server, I guess >99% of applications are
> not affected by this and will therefore benefit from enabling compression by
> default.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
