Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

Hi emacs-devel,

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18812 added a url-user-agent 
setting to Emacs, but it only partly addressed feature request. The original 
suggestion was:

> The url.el functions for making HTTP requests set the User-Agent header
> to "URL/Emacs" which is not very descriptive. It would be helpful to
> include the Emacs version, at least.

I'm bringing this up again, as I do think it would be useful to have a more 
informative User-Agent string. The new system is very useful for customization, 
but it does not address the original issue. The two main advantages that I see 
for a more informative User-Agent string are these:

* Package archives could work around issues with old versions of package.el 
(for example, 24.3 is somewhat dependent to the order in which dependencies are 
listed).
* Package authors could get per-version and possibly per-platform statistics. 
Backwards compatibility is not always easy, so knowing which Emacs versions 
your users are on would be very useful, in particular to know when to drop 
support for an old version.

These use cases were raised in https://github.com/melpa/melpa/issues/3493, in 
particular. Interestingly, they don't necessarily suggest that we should change 
url-user-agent; instead, wouldn't it be best for different parts of Emacs to 
use different user-agent strings? In particular, should eww and package.el 
really use the same User-Agent string? We could instead introduce separate a 
package-user-agent variable, and possibly an eww-user-agent variable; this 
would be in line with what other programs do: it's uncommon to advertise only 
the library used to access the web (in our case, ‘URL’) in a User-Agent string, 
instead of the actual User-Agent.

Generally speaking, I would be in favor of always advertising the current Emacs 
version, and the OS, instead of only advertising it for package.el: this would 
be in conformance with RFC 7231 (see below), and with what many other browsers 
do (but fixing this issue by introducing a package-user-agent string would work 
as well, and might alleviate some concerns that were expressed in the original 
bug thread). Some expressed privacy concerns about this, but other parts of 
Emacs already advertise this information fully (Stefan, for example, your 
emails are tagged with "Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)"). Has 
there been complaints about Gnus doing that?

Are there reasons to prefer a very generic User-Agent string? Do these reasons 
also apply to a package.el-specific one?

Cheers,
Clément.

> 5.5.3.  User-Agent
>
>    The "User-Agent" header field contains information about the user
>    agent originating the request, which is often used by servers to help
>    identify the scope of reported interoperability problems, to work
>    around or tailor responses to avoid particular user agent
>    limitations, and for analytics regarding browser or operating system
>    use.  A user agent SHOULD send a User-Agent field in each request
>    unless specifically configured not to do so.
>
>      User-Agent = product *( RWS ( product / comment ) )
>
>    The User-Agent field-value consists of one or more product
>    identifiers, each followed by zero or more comments (Section 3.2 of
>    [RFC7230]), which together identify the user agent software and its
>    significant subproducts.  By convention, the product identifiers are
>    listed in decreasing order of their significance for identifying the
>    user agent software.  Each product identifier consists of a name and
>    optional version.
>
>      product         = token ["/" product-version]
>      product-version = token
>
>    A sender SHOULD limit generated product identifiers to what is
>    necessary to identify the product; a sender MUST NOT generate
>    advertising or other nonessential information within the product
>    identifier.  A sender SHOULD NOT generate information in
>    product-version that is not a version identifier (i.e., successive
>    versions of the same product name ought to differ only in the
>    product-version portion of the product identifier).
>
>    Example:
>
>      User-Agent: CERN-LineMode/2.15 libwww/2.17b3
>
>    A user agent SHOULD NOT generate a User-Agent field containing
>    needlessly fine-grained detail and SHOULD limit the addition of
>    subproducts by third parties.  Overly long and detailed User-Agent
>    field values increase request latency and the risk of a user being
>    identified against their wishes ("fingerprinting").
>
>    Likewise, implementations are encouraged not to use the product
>    tokens of other implementations in order to declare compatibility
>    with them, as this circumvents the purpose of the field.  If a user
>    agent masquerades as a different user agent, recipients can assume
>    that the user intentionally desires to see responses tailored for
>    that identified user agent, even if they might not work as well for
>    the actual user agent being used.
>

signature.asc
Description: OpenPGP digital signature