upvote

points

by jimmypk23 hours ago |
comments
upvoteby physicles19 hours ago|
next
[-]
I’m one of those that have thrown out Postel’s law entirely. Maybe the issue is that it never defines “strict”, “liberal”, and “accept”. But at least for public APIs, it never made sense to me.

If I accidentally accept bad input and later want to fix that, I could break long-time API users and cause a lot of human suffering. If my input parsing is too strict, someone who wants more liberal parsing will complain, and I can choose to add it before that interaction becomes load-bearing (or update my docs and convince them they are wrong).

The stark asymmetry says it all.

Of course, old clients that can’t be upgraded have veto power over any changes that could break them. But that’s just backwards compatibility, not Postel’s Law.

Source: I’m on a team that maintains a public API used by thousands of people for nearly 10 years. Small potatoes in internet land but big enough that if you cause your users pain, you feel it.

reply
upvoteby hnfong1 hours ago|
parent|
next
[-]
Isn't there a (admittedly messed up) possibility where some crazy API user would depend on the strict behavior and expect your API to return an error, but after the upgrade the parsing check is relaxed and it breaks that user's code?
reply
upvoteby zffr18 hours ago|
parent|
prev|
next
[-]
One example where I think the law does make sense is for website URL paths.

Over time the paths may change, and this can break existing links. IMO websites should continue to accept old paths and redirect to the new equivalents. Eventually the redirects can be removed when their usage drops low enough.

reply
upvoteby zaphar18 hours ago|
parent|
prev|
next
[-]
I probably use a different interpretation of Postel's law. I try not "break" for anything I might receive, where break means "crash, silently corrupt data, so on". But that just means that I return an error to the sender usually. Is this what Postel meant? I have no idea.
reply
upvoteby ragnese14 hours ago|
parent|
next
[-]
I don't think that interpretation makes that much sense. Isn't it a bit too... obvious that you shouldn't just crash and/or corrupt data on invalid input? If the law were essentially "Don't crash or corrupt data on invalid input", it would seem to me that an even better law would be: "Don't crash or corrupt data." Surely there aren't too many situations where we'd want to avoid crashing because of bad input, but we'd be totally fine crashing or corrupting data for some other (expected) reason.

So, I think not crashing because of invalid input is probably too obvious to be a "law" bearing someone's name. IMO, it must be asserting that we should try our best to do what the user/client means so that they aren't frustrated by having to be perfect.

reply
upvoteby kortex10 hours ago|
parent|
[-]
I actually dont think it's that obvious at all (unless you are a senior engineer). It's like the classic joke:

A QA engineer walks into a bar and orders a beer. She orders 2 beers.

She orders 0 beers.

She orders -1 beers.

She orders a lizard.

She orders a NULLPTR.

She tries to leave without paying.

Satisfied, she declares the bar ready for business. The first customer comes in an orders a beer. They finish their drink, and then ask where the bathroom is.

The bar explodes.

It's usually not obvious when starting to write an API just how malformed the data could be. It's kind of a subconscious bias to sort of assume that the input is going to be well-formed, or at least malformed in predictable ways.

I think the cure for this is another "law"/maxim: "Parse, don't validate." The first step in handling external input is try to squeeze it into as strict of a structure with as many invariants as possible, and failing to do so, return an error.

It's not about perfection, but it is predictable.

reply
upvoteby zaphar1 hours ago|
parent|
[-]
Right even for senior engineers this can be hard to get right in practice. Parse, don't validate is certainly one approach to the problem. Choosing languages that force you to get it right is another.
reply
upvoteby ryandrake16 hours ago|
parent|
prev|
[-]
Yea, I interpret it as the same thing: On invalid input, don't crash or give the caller a root shell or whatever, but definitely don't swallow it silently. If the input is malformed, it should error and stop. NOT try to read the user's mind and conjure up some kind of "expected" output.
reply
upvoteby zaphar15 hours ago|
parent|
[-]
I think perhaps a better wording of the law would be: "Be prepared to be sent almost anything. But be specific about what you will send yourself".
reply
upvoteby buu7008 hours ago|
parent|
prev|
[-]
I've always liked Postel's law as a general philosophy toward life. But yeah, it's definitely become a little dated in the software world, if it was ever a good idea at all.
reply
upvoteby nothrabannosir21 hours ago|
prev|
next
[-]
I used to see far more references to Postel’s law in the 00s and early 10s. In the last decade, that has noticeably shifted towards hyrum’s law. I think it’s a shift in zeitgeist.
reply
upvoteby throwaway17373822 hours ago|
prev|
next
[-]
I look at Postel’s law more as advice on how to parse input. At some point you’re going to have to upgrade a client or a server to add a new field. If you’ve been strict, then you’ve created a big coordination problem, because the new field is a breaking change. But if you’re liberal, then your systems ignore components of the input that they don’t recognize. And that lets you avoid a fully coordinated update.
reply
upvoteby ragnese14 hours ago|
parent|
next
[-]
Yes, what Postel's Law is about. That's the whole point of contrasting it with Hyrum's Law, no?

Hyrum's Law is pointing out that sometimes the new field is a breaking change in the liberal scenario as well, because if you used to just ignore the field before and now you don't, your client that was including it before will see a change in behavior now. At least by being strict, (not accepting empty arrays, extra fields, empty strings, incorrect types that can be coerced, etc), you know that expanding the domain of valid inputs won't conflict with some unexpected-but-previously-papered-over stuff that current clients are sending.

reply
upvoteby 14 hours ago|
parent|
prev|
[-]
deleted
reply
upvoteby zahlman22 hours ago|
prev|
next
[-]
I've always thought of Hyrum's Law more as a Murphy-style warning than as actionable advice.
reply
upvoteby dmoy18 hours ago|
parent|
[-]
Yea hyrum's law is like an observation of what happens when you personally try to make 200,000+ distinct commits to google3 to fix things that are broken (as hyrum did, mind you this is before LLMs), and people come climbing out of the woodwork to yell at you with fistfuls of xkcd/1172
reply
upvoteby astrobe_19 hours ago|
prev|
next
[-]
This reminds me of a comment I read here a long time ago; it was about XML and how DTDs were supposed to permit one to be strict. However, in reality, the person said, if the the other end who is sending you broken XML is a big corp who refuses to fix it, then you have no choice but accept it.

Bottom line: it's all a matter of balance of powers. If you're the smaller guy in the equation, you'll be "Postel'ed" anyway.

Yet Postel's law is still in the "the road to hell is paved with good intentions" category, for the reason you explain very well (AKA XKCD #1172 "Workflow"). Wikipedia even lists a couple of major critics about it [1].

[1] https://en.wikipedia.org/wiki/Robustness_principle

reply
upvoteby jimbokun17 hours ago|
parent|
[-]
Would be tempted to stick a proxy in there that checks if the data is malformed in the expected way, and if so converts it to the valid form before forwarding to the real service.
reply
upvoteby someguyiguess21 hours ago|
prev|
[-]
I propose we add your law: Jimmy’s Law
reply