> Nits to fix and questions:
>
> CookieFactory looks less and less like a "factory" interface. Would
> "CookieAuthority" be a better name?
>
> ~~~~
Agreed.
>
> + virtual bool attest_timestamp(MirCookie const* cookie) = 0;
>
> This is the only place in the interface MirCookie is mentioned. Should we
> simply lose this function and require the user to call the other overload?
>
> ~~~~
The reason for keeping this, is theres no way to de construct a MirCookie in the public. So once the content hub gets a mir cookie it wont know how to *attest* it.
>
> +void mir_input_event_copy_cookie(MirInputEvent const* ev, void* cookie);
>
> I'm always cautions of APIs that take a target buffer and no buffer size -
> while not bulletproof the latter is at least a reminder to the user to obtain
> the size.
>
> ~~~~
Thats sounds quite reasonable to me.
>
> +void mir_surface_raise_with_cookie(MirSurface* surface, void const* cookie);
>
> By using void* we loose the type safety that we have with other Mir APIs. Can
> you provide some justification for this design choice? E.g. will this
> function be primarily for clients that obtained the cookie from a non-Mir API?
>
> ~~~~
I agree, and will be switching to a MirCookie* for both the copy and these functions since void* and MirCookie* will both be incomplete types.
>
> + /* No mac == no size! */
> + return 0;
>
> It should be a precondition that there's a MAC. I.e. the function should begin
> with something like:
>
> mir::require(mir_input_event_has_cookie(ev));
>
> ~~~~
This is true, if we have a function that tells you if an event has a cookie we better require it to actually have one when attempting to construct it!.
>
> +#include "mir/cookie.h"
> #include "mir/cookie_factory.h"
>
> The first include of the source file should be the corresponding header (to
> ensure it compiles by itself).
> Nits to fix and questions:
>
> CookieFactory looks less and less like a "factory" interface. Would
> "CookieAuthority" be a better name?
>
> ~~~~
Agreed.
> timestamp( MirCookie const* cookie) = 0;
> + virtual bool attest_
>
> This is the only place in the interface MirCookie is mentioned. Should we
> simply lose this function and require the user to call the other overload?
>
> ~~~~
The reason for keeping this, is theres no way to de construct a MirCookie in the public. So once the content hub gets a mir cookie it wont know how to *attest* it.
> event_copy_ cookie( MirInputEvent const* ev, void* cookie);
> +void mir_input_
>
> I'm always cautions of APIs that take a target buffer and no buffer size -
> while not bulletproof the latter is at least a reminder to the user to obtain
> the size.
>
> ~~~~
Thats sounds quite reasonable to me. raise_with_ cookie( MirSurface* surface, void const* cookie);
>
> +void mir_surface_
>
> By using void* we loose the type safety that we have with other Mir APIs. Can
> you provide some justification for this design choice? E.g. will this
> function be primarily for clients that obtained the cookie from a non-Mir API?
>
> ~~~~
I agree, and will be switching to a MirCookie* for both the copy and these functions since void* and MirCookie* will both be incomplete types.
>
> - * Copyright © 2015 Canonical Ltd.
> + * Copyright © 2016 Canonical Ltd.
>
> Don't remove the 2015 copyright claim. (I know these headers are legally
> unnecessary and PITA, but let's try to do it right.)
>
> ~~~~
Opps. Yeah Ill fix those!
> mir_input_ event_has_ cookie( ev));
> + /* No mac == no size! */
> + return 0;
>
> It should be a precondition that there's a MAC. I.e. the function should begin
> with something like:
>
> mir::require(
>
> ~~~~
This is true, if we have a function that tells you if an event has a cookie we better require it to actually have one when attempting to construct it!.
> factory. h"
> +#include "mir/cookie.h"
> #include "mir/cookie_
>
> The first include of the source file should be the corresponding header (to
> ensure it compiles by itself).
Will fix!