16:00:31 RRSAgent has joined #rdb2rdf 16:00:31 logging to http://www.w3.org/2010/08/17-rdb2rdf-irc 16:00:44 zakim, this will be rdb2rdf 16:00:44 ok, Ashok; I see SW_RDB2RDF()12:00PM scheduled to start now 16:00:52 chair: Ashok\ 16:01:00 Meeting: RDB2RDF 16:01:20 s/Ashok\/Ashok/ 16:01:23 trying to call in 16:01:28 it says that the passcode is not valid 16:01:29 SW_RDB2RDF()12:00PM has now started 16:01:32 anybody else having this problem? 16:01:36 +Souri 16:01:43 whalb has joined #RDB2RDF 16:01:49 Souri has joined #rdb2rdf 16:02:11 +Ashok_Malhotra 16:02:20 regrets: Boris, Marcelo, AlexDeLeon 16:02:20 + +43.316.876.aaaa 16:02:28 zakim, aaaa is me 16:02:28 +whalb; got it 16:03:54 + +1.512.471.aabb 16:04:10 zakim, who is on the phone? 16:04:10 On the phone I see Souri, Ashok_Malhotra, whalb, +1.512.471.aabb 16:04:15 Zakim, aabb is me 16:04:15 +juansequeda; got it 16:04:37 +EricP 16:05:25 scribenick: whalb 16:05:38 scribe: Wolfgang 16:05:55 topic: accept minutes from last meeting 16:06:06 Admin PROPOSAL: Accept the minutes of last meeting, see http://www.w3.org/2010/08/10-rdb2rdf-minutes.html 16:06:30 no objections heared 16:06:40 minutes from 10 August accepted 16:06:41 +Kingsley_Idehen 16:06:50 Zakim, Kingsley_Idehen is OpenLink_Software 16:06:50 +OpenLink_Software; got it 16:06:56 Zakim, OpenLink_Software is temporarily me 16:06:56 +MacTed; got it 16:06:56 s/heared/heard/ 16:06:59 Zakim, mute me 16:06:59 MacTed should now be muted 16:08:13 topic: Conclude discussion of Richard's comments on SQL-based approach 16:08:34 ashok: cygri not present, suggest to look at last e-mail and discuss it 16:08:35 Topic: Richard's comments on SQL-based approach 16:08:39 http://lists.w3.org/Archives/Public/public-rdb2rdf-wg/2010Aug/0004.html 16:09:10 ... went up to section 3 last time 16:09:29 ... richard suggests to support URI templates 16:10:29 souri: similar to revelyx presentation 16:11:35 ... in uri template document there is an example 16:11:43 16:11:55 http://example.com/emp/{empno}" /> 16:12:10 ... emp is a variable 16:12:30 ... empno value could be a column name 16:13:01 cygri has joined #rdb2rdf 16:13:30 ... almost like happening on the client side 16:14:21 ... agree with proposition, but not a standard yet - going to become a standard 16:14:38 ... it is not core to proposal 16:14:41 ashok: agrees 16:15:07 hi Ashok, Souri and all... just quickly calling in to send regrets, flight was delayed and i'm still at the airport with nowhere to take the call... sorry! 16:15:46 regrets+: Richard 16:15:59 juansequeda: there should be a standrd way of generating URIs 16:16:07 souri: uri template is a good way to do this 16:16:39 ... uri template is an option, should keep it seperate from SELECT statement 16:16:49 ... there are more pressing issues in the core itself 16:17:05 ... we need to resolve the more complex problems before, like transaction tables 16:17:15 hhalpin has joined #rdb2rdf 16:17:18 "http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor@@offer.publisher@@/Offer@@offer.nr@@" 16:17:26 http://www4.wiwiss.fu-berlin.de/bizer/BerlinSPARQLBenchmark/V1/results/store_config_files/d2r-mapping.n3 16:17:36 hhalpin has changed the topic to: Call: August 17th 16:18:05 ericP: scenario is a short-hand way to express simple things 16:18:23 ... if somebody does a query and asks for something like... 16:18:25 http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor23/Offer18 16:18:37 ... this mapping can be reserved 16:18:57 http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor /foo/bar /Offer18 16:19:20 ... if expressivity was like above example it would need more to reserve it 16:19:29 http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor Bob /Offer18 16:19:35 present: Ashok, EricP, HarryHalpin, Ivan, Juan, LeeF, Ted, Souri, Wolfgang 16:19:51 my note on this was: A somewhat unrelated aspect would be to consider automatic derivation of inverse expression (if any) since now we need to parse the URI template anyway. 16:19:55 juansequeda: you cannot expect that parsing the uri gives the semantics, is a security risk 16:20:19 ... thats not the way it should be 16:20:49 ericp: we are not hiding primary key values 16:20:55 ... you can include any attribute you like 16:21:33 +[IPcaller] 16:21:39 juansequeda: potential sql injection like problem - comments from oracle? 16:21:42 Zakim, [IPCaller] is hhalpin 16:21:42 +hhalpin; got it 16:21:46 http://www4.wiwiss.fu-berlin.de/bizer/bsbm/v01/instances/dataFromVendor';+DROP+TABL+Products+/Offer18 16:21:52 ... could lead to an exploit 16:22:26 souri: as long as we use bind variables, defined variables it will not be part of sql treatment 16:22:52 juansequeda: if someone sends an uri and it is deferenced into the sql it might be a potential hack 16:22:58 souri: we are not having this problem today 16:23:33 juansequeda: there is a standard - life science ids - ... 16:23:45 ... they were invented in anticipation of rdb2rdf and very likely... 16:24:04 I wanted to ask whether we are introducing a new security problem? 16:24:24 .... address the problem 16:25:11 Zakim, unmute me 16:25:11 MacTed should no longer be muted 16:25:17 ericp: we cannot give up uri from sql 16:25:34 juansequeda: if somebody does not want to use URIs in sql? 16:25:43 q+ 16:26:03 whalb, I meant if I don't want to put primary key values in the URI 16:26:06 ericp: soem companies might not use the standard because it violates principles 16:26:15 ashok: thats not going to happen 16:26:26 ... the question is if this is the only way of creating a uri 16:26:39 +1 Ashok 16:26:39 q+ 16:26:39 ... there are also other ways 16:26:53 ... you could create a function 16:27:04 ... the template is useful but it should not be the only technique 16:27:11 souri: it is not the only technique, but an option 16:27:20 ... you can have an expression in the query itself 16:27:35 ... if we have a template there are some positions that are variables 16:27:49 ... should come out from the view / sql definition 16:28:05 ... primary key column could be anything like that 16:28:10 ... we can use it in uri template 16:28:14 q- 16:28:21 it could also be pk+1000 or concat(foo.fn, ",", foo.ln) 16:28:26 ashok: lets go on to 3.2 16:28:27 Zakim, mute me 16:28:27 MacTed should now be muted 16:28:35 q+ 16:28:36 all of these offer identical opportunities for injection attacks 16:28:41 q- hhalpin 16:29:11 it's important to state that this "option" is NOT best practice 16:29:14 even if available 16:29:14 hhalpin ? 16:29:29 souri: do not agree with that comment 16:30:33 Just also pointing out templates is not the only option, but would be surprised if we did not allow some arbitrary function could generate URIs given a string identifer. 16:30:55 ... you could create a superclass c 16:31:02 +1 to hhalpin 16:31:11 ... if i want to go to the posting it has some implications 16:31:34 ... if i want to go to c1 i might have to do more work to find the ones that are c1s only 16:31:44 ashok: any comments? 16:32:26 ... souri wants only one class mapped, richard suggests more 16:32:56 souri: rdf level granularity we should allow the same level 16:33:26 ashoK. dont see any disagreement here 16:33:29 i think the same issue arises when you have more than one attribute mapped to the same RDF predicate 16:34:12 ashok: when you do a property map you allow the name from the view 16:34:34 ... problem is you have to specify a view, you cannot put the sql here 16:34:41 doctor.name => foaf:name patient.name => foaf:name 16:35:08 SELECT ?doc { ?doc foaf:name "Bob" } 16:35:16 souri: it is a simple way of specifying 16:35:40 ... when you are doing select * which one is the uri 16:35:53 ... typically you get out values, not uris 16:36:16 ... it is very likely that you need to modify the select * result to show uri 16:36:23 ... you might need a specific uri template 16:36:54 ashok: 3.4 column names 16:37:07 ... richard wants to allow a literal rather than column names 16:37:10 ... seems ok to me 16:37:19 souri: agree basically to that one too 16:37:50 ... just a note: how do you show that fact that a particular property has a constant value? 16:38:24 ashok: end of richard's comments - we can talk about that when richard is here next week 16:38:33 topic: Revised SQL-based proposal from Souri 16:38:56 Revised SQL-based proposal from Souri http://www.w3.org/2001/sw/rdb2rdf/wiki/An_XML_Schema_for_SQL-based_RDB2RDF_Mapping_%28Revision_1%29 http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1 16:39:36 souri: the translation tables - how can we handle large tables in sql directly 16:39:49 ... send e-mail with richard 16:39:51 ironic, given that's exactly what we expect SQL to do for us 16:40:08 ... main modifactions in current version 16:40:14 ... the sql schema 16:40:27 ... second block rdf subject added 16:40:49 ... there is block called InstanceIdMap 16:42:00 ... in GraphURIPropertyMap... 16:42:28 ... now the property themselves point back 16:42:43 ... extended the propertymap element by adding graphuri 16:43:33 ... also added datatype - you can specify that a constant data type applying to each from database 16:43:39 ... also added language 16:43:56 ... more additions have to do with ComputedPropertyMap 16:44:01 ... regarding ricahrd comment 2.4 16:44:27 ... the computed property name is coming from a db column name 16:45:11 ... the first name says whether it is computed or not 16:45:43 ... the column will be the attribute - thats how the computed property name is defined 16:46:42 ... we have to take sql injection into account 16:47:21 ... in keymap definitions we need foreign key property 16:47:28 ... if we do a join what is the join condition 16:47:52 ... ForeignKeyPropertyMap has a ForeignKeyPropertyName which has a ParentClassName 16:48:03 ... the JoinCondition is a string where sql injection comes into account 16:48:18 ... looking at example from http://www.w3.org/2001/sw/rdb2rdf/wiki/Example_of_SQL-based_RDB2RDF_Mapping:_Revision_1 16:49:29 ... in example there is ForeignKeyPropertyMap info 16:50:01 ... the join condition we need to use in the translation from sparql to sql 16:50:22 ... the child and parent will be replaced with the ref 16:50:38 ... re. sql injection we take a string here and putting it directly in the sql 16:50:51 ... we need to check here to be sure we can use it without sql injection probs 16:51:08 ericp: example looking for employee named bob 16:51:30 ... anything we carry through, regardless if its identifier we offer the opportunity of injection 16:51:37 Zakim, unmute me 16:51:37 MacTed should no longer be muted 16:52:01 ... industry standard like in php do checking of potential sql injection 16:52:15 souri: here we use expression 16:52:27 ... if we use bind variable it cannot cause sql injection 16:52:56 ... had idea that join condition includes equals 16:53:05 ... join condition defined as pairs 16:53:23 ericp: protecting yourself from people with write access 16:53:49 souri: yes but if you have access to table t1 you should not be able to access table t2 16:54:01 ... it is important but my idea might be a solution for the prob 16:54:20 ... we can individually check each part of the pair 16:54:42 ericp: the person who has write privileges in the config file should someone you trust to a certain level 16:55:23 ... we are not protecting use from people who configure the db and not from users 16:55:36 souri: thats the point - not everybody can write the specs 16:56:27 ... it is better not to even trust the guy who is writing the config 16:56:52 ericp: can we protect ourselves from that person anyway? 16:57:21 souri: yes, at oracle there are many security checks performed 16:57:42 ... joincond could be unlimited number of pairs 16:57:48 ... from that pov we are not losing anything 16:58:37 ... example does not show everything, have to extend that example 16:59:37 ashok: will be out next week, michael will be back 16:59:50 ... we should carry on here and then write it down formally 16:59:51 +1 writing it up asap 17:01:02 ericp: have started document draft, can continue on it 17:02:30 we can change telecon times. 17:02:49 -Ashok_Malhotra 17:02:51 -EricP 17:02:53 -Souri 17:02:54 -whalb 17:02:55 -MacTed 17:02:58 -juansequeda 17:03:19 rrsagent, make logs public 17:03:34 rrsagent, create minutes 17:03:34 I have made the request to generate http://www.w3.org/2010/08/17-rdb2rdf-minutes.html Ashok 17:04:51 exit 17:05:32 ashok, will you send out the minutes or should I do it 17:05:55 I'll do it. Thanks, Wolfgang! 17:46:25 -hhalpin 17:46:26 SW_RDB2RDF()12:00PM has ended 17:46:28 Attendees were Souri, Ashok_Malhotra, +43.316.876.aaaa, whalb, +1.512.471.aabb, juansequeda, EricP, MacTed, hhalpin 18:19:05 juansequeda has joined #rdb2rdf 19:28:39 Zakim has left #rdb2rdf