[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[lintian] 01/01: Add test and code for insecure URIs in VCS-* fields

This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit 15bd395f65b4a236a67a231f6fe52f1f15405185
Author: Dr. Tobias Quathamer <toddy@debian.org>
Date:   Sat Jan 16 01:17:29 2016 +0100

    Add test and code for insecure URIs in VCS-* fields
    
    Signed-off-by: Niels Thykier <niels@thykier.net>
---
 checks/fields.desc                                           | 12 +++++++++++-
 checks/fields.pm                                             | 11 +++++++----
 debian/changelog                                             |  4 ++++
 t/tests/fields-malformed-vcs-fields/debian/debian/control.in |  2 +-
 t/tests/fields-malformed-vcs-fields/tags                     |  2 +-
 t/tests/fields-uncanonical-vcs-fields/tags                   |  2 ++
 .../debian/debian/control.in                                 |  7 +++----
 t/tests/fields-vcs-field-insecure-uri/desc                   |  6 ++++++
 t/tests/fields-vcs-field-insecure-uri/tags                   |  2 ++
 t/tests/fields-vcs-fields/debian/debian/control.in           |  4 ++--
 10 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/checks/fields.desc b/checks/fields.desc
index acea0df..13e6cdd 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -1108,7 +1108,17 @@ Info: The Vcs-Git field is pointing to a personal repository using
  a git://(git|anonscm).debian.org/~$LOGIN/$PRJ.git style URI.  This is not
  recommended since the repository this points is not automatically updated
  when pushing to the personal repository.  The recommended URI for anonymous
- access is git://anonscm.debian.org/users/$LOGIN/$PRJ.git.
+ access is https://anonscm.debian.org/git/users/$LOGIN/$PRJ.git.
+
+Tag: vcs-field-uses-insecure-uri
+Severity: wishlist
+Certainty: certain
+Info: The Vcs-* field uses an unencrypted transport protocol for the
+ URI.  It is recommended to use a secure transport such as HTTPS for
+ anonymous read-only access.
+ .
+ Note that you can often just exchange e.g. git:// with https:// for
+ repositories.
 
 Tag: lib-recommends-documentation
 Severity: normal
diff --git a/checks/fields.pm b/checks/fields.pm
index 817a176..c057f2f 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -169,13 +169,13 @@ my %VCS_CANONIFY = (
             $_[1] = 'vcs-git-uses-invalid-user-uri';
         }
         $_[0] =~ s{\Qhttp://git.debian.org/\E}
-                  {http://anonscm.debian.org/git/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qhttp://anonscm.debian.org/git/git/\E}
-                  {http://anonscm.debian.org/git/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qgit://git.debian.org/\E}
-                  {git://anonscm.debian.org/};
+                  {https://anonscm.debian.org/git/};
         $_[0] =~ s{\Qgit://anonscm.debian.org/git/\E}
-                  {git://anonscm.debian.org/};
+                  {https://anonscm.debian.org/git/};
     },
     hg      => sub {
         $_[0] =~ s{\Qhttp://hg.debian.org/\E}
@@ -1292,6 +1292,9 @@ sub run {
                 if (any { $_ and /\s/} @parts) {
                     tag 'vcs-field-has-unexpected-spaces', "vcs-$vcs", $uri;
                 }
+                if ($parts[0] =~ m%^(?:git|http)://%) {
+                    tag 'vcs-field-uses-insecure-uri', "vcs-$vcs", $uri;
+                }
             }
             if ($VCS_CANONIFY{$vcs}) {
                 my $canonicalized = $parts[0];
diff --git a/debian/changelog b/debian/changelog
index 094ec89..48c4938 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,10 @@ lintian (2.5.40) UNRELEASED; urgency=medium
   * checks/cruft.pm:
     + [BR] Pass information about minified javascript down to tag.
       (Closes:  #804147).
+  * checks/fields.{desc,pm}:
+    + [NT] Apply patch from Dr. Tobias Quathamer <toddy@debian.org> to
+      check for some insecure protocols in Vcs-* fields.
+      (Closes: #810378)
   * checks/files.pm:
     + [NT] Fix off-by-one in an "mtime" comparison, which could give
       false-positive package-contains-timestamped-gzip warnings.
diff --git a/t/tests/fields-malformed-vcs-fields/debian/debian/control.in b/t/tests/fields-malformed-vcs-fields/debian/debian/control.in
index 3701409..9fd866d 100644
--- a/t/tests/fields-malformed-vcs-fields/debian/debian/control.in
+++ b/t/tests/fields-malformed-vcs-fields/debian/debian/control.in
@@ -6,7 +6,7 @@ Standards-Version: {$standards_version}
 Build-Depends: debhelper (>= 9)
 Vcs-Browser: svn.debian.org/wsvn/foobar/trunk
 Vcs-Svn: svn+ssh://svn.debian.org/svn/foobar/trunk
-Vcs-Git: git://anonscm.debian.org/test/test.git --branch wrong
+Vcs-Git: https://anonscm.debian.org/test/test.git --branch wrong
 
 Package: {$source}
 Architecture: {$architecture}
diff --git a/t/tests/fields-malformed-vcs-fields/tags b/t/tests/fields-malformed-vcs-fields/tags
index b2c9246..1530422 100644
--- a/t/tests/fields-malformed-vcs-fields/tags
+++ b/t/tests/fields-malformed-vcs-fields/tags
@@ -1,3 +1,3 @@
-W: fields-malformed-vcs-fields source: vcs-field-has-unexpected-spaces vcs-git git://anonscm.debian.org/test/test.git --branch wrong
+W: fields-malformed-vcs-fields source: vcs-field-has-unexpected-spaces vcs-git https://anonscm.debian.org/test/test.git --branch wrong
 W: fields-malformed-vcs-fields source: vcs-field-uses-not-recommended-uri-format vcs-svn svn+ssh://svn.debian.org/svn/foobar/trunk
 W: fields-malformed-vcs-fields source: vcs-field-uses-unknown-uri-format vcs-browser svn.debian.org/wsvn/foobar/trunk
diff --git a/t/tests/fields-uncanonical-vcs-fields/tags b/t/tests/fields-uncanonical-vcs-fields/tags
index d61abf1..d6e6955 100644
--- a/t/tests/fields-uncanonical-vcs-fields/tags
+++ b/t/tests/fields-uncanonical-vcs-fields/tags
@@ -1,6 +1,8 @@
 I: fields-uncanonical-vcs-fields source: vcs-field-not-canonical http://hg.debian.org/hg/foobar/pkg/foobar http://anonscm.debian.org/hg/foobar/pkg/foobar
 I: fields-uncanonical-vcs-fields source: vcs-field-not-canonical nosmart+http://bzr.debian.org/bzr/collab-maint/foobar nosmart+http://anonscm.debian.org/bzr/collab-maint/foobar
 I: fields-uncanonical-vcs-fields source: vcs-field-not-canonical svn://svn.debian.org/svn/foobar/trunk svn://anonscm.debian.org/foobar/trunk
+I: fields-uncanonical-vcs-fields source: vcs-field-uses-insecure-uri vcs-git git://git.debian.org/~djpig/foobar.git -b master
+I: fields-uncanonical-vcs-fields source: vcs-field-uses-insecure-uri vcs-hg http://hg.debian.org/hg/foobar/pkg/foobar
 W: fields-uncanonical-vcs-fields source: vcs-field-bitrotted :pserver:anonymous@cvs.alioth.debian.org:/cvsroot/foobar :pserver:anonymous@anonscm.debian.org:/cvs/foobar
 W: fields-uncanonical-vcs-fields source: vcs-field-bitrotted https://svn.debian.org/wsvn/foobar/trunk?foo=bar;op=log;something=else http://anonscm.debian.org/viewvc/foobar/trunk?foo=bar;something=else
 W: fields-uncanonical-vcs-fields source: vcs-git-uses-invalid-user-uri git://git.debian.org/~djpig/foobar.git git://anonscm.debian.org/users/djpig/foobar.git
diff --git a/t/tests/fields-malformed-vcs-fields/debian/debian/control.in b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
similarity index 70%
copy from t/tests/fields-malformed-vcs-fields/debian/debian/control.in
copy to t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
index 3701409..b81b06d 100644
--- a/t/tests/fields-malformed-vcs-fields/debian/debian/control.in
+++ b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
@@ -4,13 +4,12 @@ Section: {$section}
 Maintainer: {$author}
 Standards-Version: {$standards_version}
 Build-Depends: debhelper (>= 9)
-Vcs-Browser: svn.debian.org/wsvn/foobar/trunk
-Vcs-Svn: svn+ssh://svn.debian.org/svn/foobar/trunk
-Vcs-Git: git://anonscm.debian.org/test/test.git --branch wrong
+Vcs-Browser: http://anonscm.debian.org/git/users/toddy/foobar.git
+Vcs-Git: git://anonscm.debian.org/users/toddy/foobar.git
 
 Package: {$source}
 Architecture: {$architecture}
-Depends: $\{misc:Depends\}
+Depends: $\{shlibs:Depends\}, $\{misc:Depends\}
 Description: {$description}
  This is a test package designed to exercise some feature or tag of
  Lintian.  It is part of the Lintian test suite and may do very odd
diff --git a/t/tests/fields-vcs-field-insecure-uri/desc b/t/tests/fields-vcs-field-insecure-uri/desc
new file mode 100644
index 0000000..86cff61
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/desc
@@ -0,0 +1,6 @@
+Testname: fields-vcs-field-insecure-uri
+Sequence: 6000
+Description: Test for VCS-* fields using insecure URIs
+Version: 1.0
+Test-For:
+ vcs-field-uses-insecure-uri
diff --git a/t/tests/fields-vcs-field-insecure-uri/tags b/t/tests/fields-vcs-field-insecure-uri/tags
new file mode 100644
index 0000000..1d4338b
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/tags
@@ -0,0 +1,2 @@
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-browser http://anonscm.debian.org/git/users/toddy/foobar.git
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-git git://anonscm.debian.org/users/toddy/foobar.git
diff --git a/t/tests/fields-vcs-fields/debian/debian/control.in b/t/tests/fields-vcs-fields/debian/debian/control.in
index 6d17058..34265dd 100644
--- a/t/tests/fields-vcs-fields/debian/debian/control.in
+++ b/t/tests/fields-vcs-fields/debian/debian/control.in
@@ -7,8 +7,8 @@ Build-Depends: debhelper (>= 9)
 Vcs-Browser: https://anonscm.debian.org/viewvc/foobar/trunk
 Vcs-Svn: svn://anonscm.debian.org/foobar/trunk
 Vcs-Mtn: www.example.org org.debian.foobar
-Vcs-Hg: http://anonscm.debian.org/hg/foobar/pkg/foobar
-Vcs-Git: git://anonscm.debian.org/users/djpig/foobar.git -b master
+Vcs-Hg: https://anonscm.debian.org/hg/foobar/pkg/foobar
+Vcs-Git: https://anonscm.debian.org/users/djpig/foobar.git -b master
 Vcs-Cvs: :pserver:anonymous@anonscm.debian.org:/cvs/foobar module
 Vcs-Bzr: nosmart+http://anonscm.debian.org/bzr/collab-maint/foobar
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: