package lintian tag 810378 patch thanks Hi, I've implemented a check for insecure URIs which warns about plaintext transports such as http:// or git://. The patch is against the current HEAD of the git repository. Regards, Tobias
From 5e4c365ee094c32ab50c251402207fa1efe4621c Mon Sep 17 00:00:00 2001
From: "Dr. Tobias Quathamer" <toddy@debian.org>
Date: Sat, 16 Jan 2016 01:17:29 +0100
Subject: [PATCH] Add test and code for insecure URIs in VCS-* fields
---
checks/fields.desc | 12 +++++++++++-
checks/fields.pm | 11 +++++++----
.../debian/debian/control.in | 17 +++++++++++++++++
t/tests/fields-vcs-field-insecure-uri/desc | 6 ++++++
t/tests/fields-vcs-field-insecure-uri/tags | 2 ++
5 files changed, 43 insertions(+), 5 deletions(-)
create mode 100644 t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
create mode 100644 t/tests/fields-vcs-field-insecure-uri/desc
create mode 100644 t/tests/fields-vcs-field-insecure-uri/tags
diff --git a/checks/fields.desc b/checks/fields.desc
index acea0df..13e6cdd 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -1108,7 +1108,17 @@ Info: The Vcs-Git field is pointing to a personal repository using
a git://(git|anonscm).debian.org/~$LOGIN/$PRJ.git style URI. This is not
recommended since the repository this points is not automatically updated
when pushing to the personal repository. The recommended URI for anonymous
- access is git://anonscm.debian.org/users/$LOGIN/$PRJ.git.
+ access is https://anonscm.debian.org/git/users/$LOGIN/$PRJ.git.
+
+Tag: vcs-field-uses-insecure-uri
+Severity: wishlist
+Certainty: certain
+Info: The Vcs-* field uses an unencrypted transport protocol for the
+ URI. It is recommended to use a secure transport such as HTTPS for
+ anonymous read-only access.
+ .
+ Note that you can often just exchange e.g. git:// with https:// for
+ repositories.
Tag: lib-recommends-documentation
Severity: normal
diff --git a/checks/fields.pm b/checks/fields.pm
index 817a176..c057f2f 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -169,13 +169,13 @@ my %VCS_CANONIFY = (
$_[1] = 'vcs-git-uses-invalid-user-uri';
}
$_[0] =~ s{\Qhttp://git.debian.org/\E}
- {http://anonscm.debian.org/git/};
+ {https://anonscm.debian.org/git/};
$_[0] =~ s{\Qhttp://anonscm.debian.org/git/git/\E}
- {http://anonscm.debian.org/git/};
+ {https://anonscm.debian.org/git/};
$_[0] =~ s{\Qgit://git.debian.org/\E}
- {git://anonscm.debian.org/};
+ {https://anonscm.debian.org/git/};
$_[0] =~ s{\Qgit://anonscm.debian.org/git/\E}
- {git://anonscm.debian.org/};
+ {https://anonscm.debian.org/git/};
},
hg => sub {
$_[0] =~ s{\Qhttp://hg.debian.org/\E}
@@ -1292,6 +1292,9 @@ sub run {
if (any { $_ and /\s/} @parts) {
tag 'vcs-field-has-unexpected-spaces', "vcs-$vcs", $uri;
}
+ if ($parts[0] =~ m%^(?:git|http)://%) {
+ tag 'vcs-field-uses-insecure-uri', "vcs-$vcs", $uri;
+ }
}
if ($VCS_CANONIFY{$vcs}) {
my $canonicalized = $parts[0];
diff --git a/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
new file mode 100644
index 0000000..b81b06d
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/debian/debian/control.in
@@ -0,0 +1,17 @@
+Source: {$source}
+Priority: extra
+Section: {$section}
+Maintainer: {$author}
+Standards-Version: {$standards_version}
+Build-Depends: debhelper (>= 9)
+Vcs-Browser: http://anonscm.debian.org/git/users/toddy/foobar.git
+Vcs-Git: git://anonscm.debian.org/users/toddy/foobar.git
+
+Package: {$source}
+Architecture: {$architecture}
+Depends: $\{shlibs:Depends\}, $\{misc:Depends\}
+Description: {$description}
+ This is a test package designed to exercise some feature or tag of
+ Lintian. It is part of the Lintian test suite and may do very odd
+ things. It should not be installed like a regular package. It may
+ be an empty package.
diff --git a/t/tests/fields-vcs-field-insecure-uri/desc b/t/tests/fields-vcs-field-insecure-uri/desc
new file mode 100644
index 0000000..86cff61
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/desc
@@ -0,0 +1,6 @@
+Testname: fields-vcs-field-insecure-uri
+Sequence: 6000
+Description: Test for VCS-* fields using insecure URIs
+Version: 1.0
+Test-For:
+ vcs-field-uses-insecure-uri
diff --git a/t/tests/fields-vcs-field-insecure-uri/tags b/t/tests/fields-vcs-field-insecure-uri/tags
new file mode 100644
index 0000000..1d4338b
--- /dev/null
+++ b/t/tests/fields-vcs-field-insecure-uri/tags
@@ -0,0 +1,2 @@
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-browser http://anonscm.debian.org/git/users/toddy/foobar.git
+I: fields-vcs-field-insecure-uri source: vcs-field-uses-insecure-uri vcs-git git://anonscm.debian.org/users/toddy/foobar.git
--
2.5.0
Attachment:
signature.asc
Description: OpenPGP digital signature