Bug#886930: lintian: Check that debian/copyright uses HTTPS in its format URI

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#886930: lintian: Check that debian/copyright uses HTTPS in its format URI
From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
Date: Thu, 11 Jan 2018 13:41:30 +0100
Message-id: <[🔎] 20180111124130.GA10880@bogus>
Reply-to: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>, 886930@bugs.debian.org

Package: lintian
Version: 2.5.67
Severity: wishlist
Tags: patch
X-Debbugs-CC: jcc@debian.org

Dear lintian maintainers,

Since policy 4.0.0, it is prefered to use HTTPS for the DEP5 copyright files'
format URI; I added a check to this effect to lintian.

I have not, however, added a test, as I am pretty unfamiliar with lintian
internals (and Perl, for that matter).  I did however test the change manually.


Best,

  nicoo


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils                          2.29.1-12
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                              1.19.0.4
ii  file                              1:5.32-1
ii  gettext                           0.19.8.1-4
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl                      1.19.0.4
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.96-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-3
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.72-2
ii  libxml-simple-perl                2.24-1
ii  libyaml-libyaml-perl              0.63-2+b2
ii  man-db                            2.7.6.1-4
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-3
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev               1.19.0.4
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information

From 471593b7df4a4a42bc0d935c714d16d664e830d9 Mon Sep 17 00:00:00 2001
From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
Date: Thu, 11 Jan 2018 13:30:10 +0100
Subject: [PATCH] checks/source-copyright: Warn on insecure format URIs

---
 checks/source-copyright.desc | 10 ++++++++++
 checks/source-copyright.pm   | 12 +++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/checks/source-copyright.desc b/checks/source-copyright.desc
index 718be3030..7ce6fa019 100644
--- a/checks/source-copyright.desc
+++ b/checks/source-copyright.desc
@@ -48,6 +48,16 @@ Info: Format URI of the machine-readable copyright file contains
  <tt>VERSIONED_FORMAT_URL</tt> or <tt>REVISION</tt> string.  Please replace it
  with an actual URI or an actual revision number respectively.
 
+Tag: insecure-copyright-format-uri
+Severity: pedantic
+Certainty: possible
+Ref: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Info: Format URI of the machine-readable copyright file uses plain HTTP
+ .
+ Using HTTPS is prefered since policy 4.0.0.  Please use
+ <tt>https://www.debian.org/doc/packaging-manuals/copyright-format/<i>version</i>/</tt>
+ as the format URI instead.
+
 Tag: wiki-copyright-format-uri
 Severity: pedantic
 Certainty: possible
diff --git a/checks/source-copyright.pm b/checks/source-copyright.pm
index c04e82a5f..703f3d597 100644
--- a/checks/source-copyright.pm
+++ b/checks/source-copyright.pm
@@ -86,11 +86,9 @@ sub run {
     return;
 }
 
-# Note that we allow people to use "https://"; even the
-# policy says it must be "http://";.  It might be
-# pedantically wrong, but it is not worth arguing over On
-# the plus side, it gives security to people blindly
-# copy-wasting the URLs using "https://";.
+# The policy states, since 4.0.0, that people should
+# use "https://"; for the format URI.  This is checked
+# later in check_dep5_copyright.
 # return undef is not dep5 and '' if unknown version
 sub _find_dep5_version {
     my ($original_uri) = @_;
@@ -213,6 +211,10 @@ sub _check_dep5_copyright {
 
     my $version = _find_dep5_version($uri);
 
+    if ($uri =~ m,^http:, ) {
+        tag 'insecure-copyright-format-uri', $uri
+    }
+
     return if !defined($version);
     if ($version =~ m,wiki,) {
         tag 'wiki-copyright-format-uri', $uri;
-- 
2.15.1

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#886930: lintian: Check that debian/copyright uses HTTPS in its format URI
  - From: Chris Lamb <lamby@debian.org>
- Bug#886930: marked as done (lintian: Check that debian/copyright uses HTTPS in its format URI)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: wildcard-matches-nothing-in-dep5-copyright should not be raised for deleted files
Next by Date: [lintian] branch master updated (4b235fa -> d36a0f1)
Previous by thread: Processed: Re: wildcard-matches-nothing-in-dep5-copyright should not be raised for deleted files
Next by thread: Bug#886930: lintian: Check that debian/copyright uses HTTPS in its format URI
Index(es):
- Date
- Thread