Tuesday, January 22, 2008
HTML 5 draft
W3C has published an early working draft for HTML 5. It warns readers: "Implementors should be aware that this specification is not stable. Implementors who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways." This is expanded with lots of warnings and notations in bright red boxes.
Let the arguments begin!
Friday, January 18, 2008
Article on format registries
Today I came upon an article, "File format typing and format registries" (RTF) by Gareth Knight, which provides a nice summary of format registry status (and also mentions JHOVE). It's about a year old, but still useful.
GDFR is, incidentally, still in progress, with HUL and OCLC as the main partners, and is expected to go live this summer.
Labels: GDFR
Tuesday, January 15, 2008
Dublin core news
There are a couple of announcements from the Dublin Core Metadata Initiative:
A major maintenance update of the DCMI metadata terms has been issued. The revisions are described here.
There is a new DCMI recommendation on Expressing Dublin Core metadata in RDF, replacing earlier documents. There is discussion of the changes in "Notes on DCMI specifications for Dublin Core metadata in RDF."
See DCMI 2008 news for more details on these announcements and others.
Monday, January 07, 2008
Microsoft reverses on "unsafe" formats
Good for Microsoft for admitting it gave incorrect information.
Status of JHOVE
JHOVE 1.1 will continue to be maintained at HUL/OIS, and I'll be responsible for it.
OIS won't be a principal player in JHOVE 2, though I'll be keeping an eye on it and will be sure to mention news about it here.
Labels: JHOVE
Wednesday, January 02, 2008
Vulnerability of legacy formats
Microsoft has announced that in Office 2003 SP3, a number of older file formats are disabled by default. The document gives information on how to go into the Registry and override the block, so users who need those formats aren't left high and dry. But the reason for the block should raise concerns: "By default, these file formats are blocked because they are less secure. They may pose a risk to you."
Rob Weir expresses skepticism, noting a lack of any listed vulnerabilities for these formats listed in the CERT database. In general, older formats are more secure, simply because they usually don't include any capability to access external resources. Some of the formats listed are Microsoft formats, so it's possible that they have undocumented features which only Microsoft knows about. It seems implausible that anything as simple as the SYLK format has any capabilities of being exploited, but Microsoft created and maintained the format, so its engineers must know best.
There are issues with third-party formats too. The CorelDraw CDR format has never been published, so it's likewise difficult to say what might lurk in it. A company as big as Microsoft most likely didn't reverse engineer the format, but probably licensed either confidential information or actual code from Corel. If Microsoft licensed the specs, it's in the best position to evaluate how secure the format is; if it licensed code (especially if it didn't include source), its engineers today might have no way of revising the code or determining how safe it is.
All the formats listed are proprietary, and while various people have worked out descriptions of them, there's no guarantee that they don't have back-door features. These features are harmless if a converter ignores them, but we can't judge the safety of a proprietary converter operating on an unpublished format.
So while I'm skeptical that those formats pose risks, I'm not in a position to say that they don't, and neither is any other software engineer without inside information. Even without the incentive provided by SP3, it's best to take any files in these formats and do a one-time conversion to a supported and published format.
See update, January 7.
