EPUB3 WG Telco January 20 2022 — Minutes

Date: 2022-01-20

See also the Agenda and the IRC Log

Attendees

Present: Zheng Xu (徐征), Shinya Takami (高見真也), Masakazu Kitahara, Matthew Chan, Wendy Reid, Brady Duga, Murata Makoto, Dan Lazin

Regrets:

Guests:

Chair: Wendy Reid

Scribe(s): Matthew Chan

Content:

Wendy Reid: today we are going to continue discussion re. privacy and security sections that need to be finalized before CR.
… there is one change since the agenda was sent out - we now have PR for updates to privacy and security sections in both core spec and rs spec.

Wendy Reid: See PR on security and privacy sections.

Wendy Reid: we talked about the TAG issues in last week’s meeting, but there may be implication for the issues raised by PING.

1. PING Issues (with context from TAG).

See github pull request epub-specs#1972.

Wendy Reid: these 6 issues need to be satisfied before we can go to CR.
… they are similar to issues raised by TAG.
… the new PR includes the threat model for both core and RS, as well as high level epub specific recommendations to content creators and RS implementors about use of remote resources, data collection, etc..
… have we missed anything?.
… does that mean we have satisfied the PING issues?.

Brady Duga: i commented on one of the PING bugs, but we’ve had some developments since in, so those comments might not be relevant now.

Wendy Reid: some issues are challenging to talk about - e.g. DRM. We didn’t write the spec to cover DRM, so we can only make some general recommendations.
… ditto security aspects related to core web tech.
… maybe some additional notes we can make re. epub and relation to browsable web?.

Brady Duga: do we say that when you open a link in its own browsing context we notify users that this is about to happen?.

Wendy Reid: mgarrish has included a line about informing users that they are about to be taken somewhere.
… there is an open issue around information exposure and fingerprintability.
… we say not to collect data, and be clear about what you are doing with that data.
… make sure you have permission to use author data if you do collect it.
… currently none of our recommendations have to do with obfuscation.
… not sure if we are adding anything to the obfuscation section of the spec at this point.
… unclear how we would make that more robust.
… we don’t have a better solution.

Brady Duga: we do have better solutions, but there is existing content and existing RS that make use of existing obfuscation.
… it would hurt users to remove it at this point.

Dan Lazin: we would have issues with Adobe, they feel strongly about this.

Wendy Reid: the bulk of our recommendations are about interactivity.
… not sure we could say more.
… re. self contained packages we could maybe elaborate, but i don’t have strong feelings.
… and most of the concern was about the privacy model of the web, which we addressed earlier.

Dan Lazin: what is self contained package?.

Wendy Reid: everything for a given epub is contained within its own package, does not depend on other epubs.
… which is good for privacy, but maybe we could highlight that more.

Dan Lazin: or encourage publishers to make sure that epubs are more self-contained (we allow remote resources).
… e.g. DAISY accessibility hazards announce to a store that this epub may or may not meet your needs, so we could do similar metadata tagging re. privacy and security risks.
… but that might get into the territory of changing the spec.

Wendy Reid: even the a11y metadata is contained in a separate spec (i.e. epub a11y spec).

Dan Lazin: i’ll maybe take this idea to the community group to develop.

Shinya Takami (高見真也): +1 to dlazin.

Wendy Reid: from a business POV, there is a longevity benefit to a fully self-contained epub being a better product than an epub that has remote dependencies that may rot.

Dan Lazin: its only a shame that the a11y metadata is not used more by retailers.

Wendy Reid: and it might only be relevant to power-users.
… places like VST, Redshelf, NNELs use it, but not as much in major retail - but it is becoming more common.

Shinya Takami (高見真也): our ebook store extract material from epubs before distributing to users. So metadata is relevant to retailers. Has merit for our business..

Wendy Reid: good topic for CG.
… okay, i’ll urge anyone with an interest in privacy to review the PR.

2. Bikeshed name for underimplemented features.

See github issue epub-specs#1944.

Wendy Reid: we have the unique problem that this is a 20 y/o spec, but with some features that were either not implemented at all, or only rarely.
… so they technically do not qualify for rec track doc.

Murata Makoto: stabilized?.

Wendy Reid: but we can position those features in a special category that we don’t want to remove from spec just yet, but which may not be supported.
… we just need to decide what to call this category.
… so we can refer to them in the CR transition document.

Dan Lazin: i think the correct name is ‘at risk features’. Seems to include both new and old underimplemented features.

Wendy Reid: ‘at risk’ is a conflict with technical terms used in the W3C process document.

Murata Makoto: How about “frozen”?.

Dan Lazin: does this apply to both new and old underimplemented features?.

Wendy Reid: we don’t have anything new that is underimplemented.

Brady Duga: not much is new at this point.

Wendy Reid: i like frozen.

Murata Makoto: in ISO we use the term stabilized - i.e. we are not going to touch the spec.

Dan Lazin: ‘legacy features’?.

Wendy Reid: legacy is already used in the spec for features that are holdovers from EPUB2 - e.g. NCX.
… they should still be supported, but we don’t encourage their use.

Brady Duga: ‘cutting edge’ - because they are RELATIVELY new.

Wendy Reid: the other part of the naming is that the name needs to be relatively well known.

Dan Lazin: okay, ‘throwback’ then?.
… ‘archived’?.
… the thing about frozen that i don’t love is that it seems like we promise we aren’t touching them, but we actually might polish them up in the future if an urgent need arises.

Wendy Reid: ‘parked’?.
… we don’t want to discourage RS implementors from implementing these features, but we don’t want authors to rely on them working.

Shinya Takami (高見真也): ‘unpopular’.

Wendy Reid: there are popular ideas in this category that just never took over.

Dan Lazin: so just ‘under implemented’ then.

Wendy Reid: we are never going to test every RS, so when we say something is under implemented because it doesn’t meet the W3C testing threshold, we don’t really know.

Murata Makoto: +1 to underimplemented.

Wendy Reid: seems like maybe under implemented is our winner?.

Dan Lazin: the internet really thinks it should be hyphenated, but i like it with no hyphen (no space).

Proposed resolution: Use the term “under-implemented” to describe features that do not meet the 2-implementor threshold for CR, but need to remain in the specification. (Wendy Reid)

Brady Duga: u14d.

Dan Lazin: are we specifically saying that it doesn’t meet 2? Or just that authors should not use these features because they are not used by the mainstream?.

Wendy Reid: for the W3C priority of implementor doesn’t matter.

Dan Lazin: for the benefit of our users should we use this category as a warning for features not in the mainstream?.

Shinya Takami (高見真也): +1.

Wendy Reid: +1.

Zheng Xu (徐征): +1.

Brady Duga: +1.

Murata Makoto: +1.

Dan Lazin: +1.

Wendy Reid: not sure we should get into that, politics, etc..

Toshiaki Koike: +1.

Matthew Chan: +1.

Resolution #1: Use the term “under-implemented” to describe features that do not meet the 2-implementor threshold for CR, but need to remain in the specification.

Wendy Reid: great, this will help us write our CR exit criteria.

3. AOB?.

Wendy Reid: .

Wendy Reid: reminder re. reviewing PR about security and privacy.
… more comments the better, especially before PING and TAG get their hands on it.
… great, thanks everyone!.
… see you all in a week or so!.

4. Resolutions