[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Scott Kitterman <debian@kitterman.com> writes:

> As is currently being discussed on #debian-devel, the git:// protocol is
> insecure, but is what is normally used in Vcs-git fields in Debian packages.

> For git, it would be far better to used https://, but I don't think policy is
> completely clear that is OK since it says to use the "version control system's
> conventional syntax".  For git, that's arguably git:// even though it's a
> security risk.

> Please see the attached patch.  Although the diff is slightly noisy, the patch
> only adds one word.

I would rather add a new sentence saying that ideally the URL should use a
secure transport mechanism.  Right now, with this rephrasing, it sort of
implies that if there's no encrypted transport, you shouldn't use this
field.  It used to be that serving Git over HTTPS was a huge pain and
disabled a bunch of features, so some folks may just not have bothered to
ever set that up.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: