HTTPS in DEP-5

To: debian-devel@lists.debian.org
Subject: HTTPS in DEP-5
From: Jakub Wilk <jwilk@debian.org>
Date: Sun, 6 Mar 2016 19:35:57 +0100
Message-id: <[🔎] 20160306183557.GA5881@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org

The machine-readable debian/copyright file specification says that theFormat field should contain:


http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

These days www.debian.org supports HTTPS+HSTS (thanks, DSA!). Apparentlythis prompted some people to replace "http" with "https" in their Formatfield, contrary to the requirements of the specification.

Worse, some tools (Lintian, mk-origtargz) incorrectly say that the HTTPSURL is the one you should use in the Format field. Also, some tools(dh-make, Config::Model) produce copyright files with the HTTPS URLinside.

Some DEP-5 consumers recognize the HTTPS URL (Lintian, mk-origtargz,Config::Model, python-debian, license-reconcile), but others don't(adequate, umegaya).


So, what we're going to do about it? I see the following options:

A) Make Lintian complain about the HTTPS URL; fixHTTPS-advertising and HTTPS-producing tools, and >400 copyright files.


B) Fix the spec to allow the HTTPS URL; fix the HTTP-only consumers.

C) Admit that file formats are too hard and go shopping.

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: HTTPS in DEP-5
  - From: Geert Stappers <stappers@debian.org>
- Re: HTTPS in DEP-5
  - From: Bas Wijnen <wijnen@debian.org>

Prev by Date: Re: debian-www / debian-doc teams no longer responsive [Was: Re: Bad release in install documentation]
Next by Date: Re: HTTPS in DEP-5
Previous by thread: Re: debian-www / debian-doc teams no longer responsive [Was: Re: Bad release in install documentation]
Next by thread: Re: HTTPS in DEP-5
Index(es):
- Date
- Thread