[lintian] 01/01: Warn for debian/watch files using insecure URIs such as HTTP or FTP, similar to vcs-field-uses-insecure-uri. (Closes: #849515)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit c8b16ca11e4b38745b8c6e3872859a76c120eb27
Author: Chris Lamb <lamby@debian.org>
Date: Sun Oct 1 16:05:00 2017 +0100
Warn for debian/watch files using insecure URIs such as HTTP or FTP, similar to vcs-field-uses-insecure-uri. (Closes: #849515)
---
checks/watch-file.desc | 7 +++++++
checks/watch-file.pm | 10 +++++-----
debian/changelog | 3 +++
t/tests/watch-file-bug-765995/debian/debian/watch | 2 +-
t/tests/watch-file-general/debian/debian/watch | 5 ++++-
t/tests/watch-file-general/desc | 1 +
t/tests/watch-file-general/tags | 3 +++
t/tests/watch-file-native/debian/debian/watch | 2 +-
t/tests/watch-file-old-upstream-version/debian/debian/watch | 2 +-
t/tests/watch-file-prerelease/debian/debian/watch | 2 +-
t/tests/watch-file-pubkey-missing/desc | 4 +++-
t/tests/watch-file-pubkey-missing/tags | 1 +
t/tests/watch-file-should-mangle/debian/debian/watch | 6 +++---
t/tests/watch-file-template/desc | 4 +++-
t/tests/watch-file-template/tags | 1 +
15 files changed, 38 insertions(+), 15 deletions(-)
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index 765efdf..af430dc 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -186,3 +186,10 @@ Severity: wishlist
Certainty: certain
Info: The watch file contains a standard template included by dh_make.
Please remove them once you have implemented the watch file.
+
+Tag: debian-watch-uses-insecure-uri
+Severity: wishlist
+Certainty: certain
+Info: The watch file uses an unencrypted transport protocol for the
+ URI. It is recommended to use a secure transport such as HTTPS for
+ anonymous read-only access.
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 629cad7..5a8fb91 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -121,15 +121,13 @@ sub run {
if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/;
}
}
+
if (m%qa\.debian\.org/watch/sf\.php\?%) {
tag 'debian-watch-file-uses-deprecated-sf-redirector-method',
"line $.";
- }
- if (m%githubredir\.debian\.net%) {
+ } elsif (m%githubredir\.debian\.net%) {
tag 'debian-watch-file-uses-deprecated-githubredir',"line $.";
- }
-
- if (
+ } elsif (
m{ (?:https?|ftp)://
(?:(?:.+\.)?dl|(?:pr)?downloads?|ftp\d?|upload) \.
(?:sourceforge|sf)\.net}xsm
@@ -139,6 +137,8 @@ sub run {
/projects/.+/files}xsm
) {
tag 'debian-watch-file-should-use-sf-redirector', "line $.";
+ } elsif (m%(?:http|ftp):%) {
+ tag 'debian-watch-uses-insecure-uri',"line $.";
}
# This bit is as-is from uscan.pl:
diff --git a/debian/changelog b/debian/changelog
index 56fb352..34d4198 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ lintian (2.5.55) UNRELEASED; urgency=medium
(Closes: #877142)
+ [NT] Apply patch from Mattia Rizzolo to improve the tag description
for script-uses-deprecated-nodejs-location.
+ * checks/watch-file.{pm,desc}:
+ + [CL] Warn for debian/watch files using insecure URIs such as HTTP or
+ FTP, similar to vcs-field-uses-insecure-uri. (Closes: #849515)
* commands/lintian.pm:
+ [NT] Simplify handling of uncaught exceptions.
diff --git a/t/tests/watch-file-bug-765995/debian/debian/watch b/t/tests/watch-file-bug-765995/debian/debian/watch
index fd32869..6f30e20 100644
--- a/t/tests/watch-file-bug-765995/debian/debian/watch
+++ b/t/tests/watch-file-bug-765995/debian/debian/watch
@@ -1,4 +1,4 @@
version=3
# Trailing whitespace and missing continuation backslash intentional!
opts=pgpsigurlmangle=s/$/.asc/
-http://www.example.com/Downloads/code-(.+)code\.zip
+https://www.example.com/Downloads/code-(.+)code\.zip
diff --git a/t/tests/watch-file-general/debian/debian/watch b/t/tests/watch-file-general/debian/debian/watch
index a96531e..956fef9 100644
--- a/t/tests/watch-file-general/debian/debian/watch
+++ b/t/tests/watch-file-general/debian/debian/watch
@@ -18,9 +18,12 @@ http://sourceforge.net/projects/synce/files http://downloads.sourceforge.net/.+/
version=42
# Specifies the same version number as the package.
-http://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate
+https://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate
# Deprecated githubredir
http://githubredir.debian.net/github/username/project /(.*).tar.gz
# without any pgpsigurlmangle
+
+http://insecure.com /(.*).tar.gz
+https://secure.com /(.*).tar.gz
diff --git a/t/tests/watch-file-general/desc b/t/tests/watch-file-general/desc
index 3dc5359..100079e 100644
--- a/t/tests/watch-file-general/desc
+++ b/t/tests/watch-file-general/desc
@@ -14,4 +14,5 @@ Test-For:
debian-watch-file-uses-deprecated-sf-redirector-method
debian-watch-file-uses-deprecated-githubredir
debian-watch-may-check-gpg-signature
+ debian-watch-uses-insecure-uri
References: Debian Bug#510398
diff --git a/t/tests/watch-file-general/tags b/t/tests/watch-file-general/tags
index 675508a..98b529f 100644
--- a/t/tests/watch-file-general/tags
+++ b/t/tests/watch-file-general/tags
@@ -1,5 +1,6 @@
E: watch-file-general source: debian-watch-file-uses-deprecated-githubredir line 24
I: watch-file-general source: debian-watch-file-should-dversionmangle-not-uversionmangle line 5
+I: watch-file-general source: debian-watch-uses-insecure-uri line 28
P: watch-file-general source: debian-watch-may-check-gpg-signature
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 18
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 7
@@ -7,6 +8,8 @@ W: watch-file-general source: debian-watch-file-should-mangle-version line 12
W: watch-file-general source: debian-watch-file-should-mangle-version line 14
W: watch-file-general source: debian-watch-file-should-mangle-version line 15
W: watch-file-general source: debian-watch-file-should-mangle-version line 24
+W: watch-file-general source: debian-watch-file-should-mangle-version line 28
+W: watch-file-general source: debian-watch-file-should-mangle-version line 29
W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 12
W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 14
W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 15
diff --git a/t/tests/watch-file-native/debian/debian/watch b/t/tests/watch-file-native/debian/debian/watch
index fe12dbc..23b829d 100644
--- a/t/tests/watch-file-native/debian/debian/watch
+++ b/t/tests/watch-file-native/debian/debian/watch
@@ -1,5 +1,5 @@
# watch file with upstream version mangling
version=3
-http://somewhere.debian.org/foo/foo_bar(.+)\.tar\.gz 5 uupdate
+https://somewhere.debian.org/foo/foo_bar(.+)\.tar\.gz 5 uupdate
diff --git a/t/tests/watch-file-old-upstream-version/debian/debian/watch b/t/tests/watch-file-old-upstream-version/debian/debian/watch
index 7e052d6..ebaecbd 100644
--- a/t/tests/watch-file-old-upstream-version/debian/debian/watch
+++ b/t/tests/watch-file-old-upstream-version/debian/debian/watch
@@ -1,3 +1,3 @@
version=3
-http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 1.0 uupdate
+https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 1.0 uupdate
diff --git a/t/tests/watch-file-prerelease/debian/debian/watch b/t/tests/watch-file-prerelease/debian/debian/watch
index 26df203..8038deb 100644
--- a/t/tests/watch-file-prerelease/debian/debian/watch
+++ b/t/tests/watch-file-prerelease/debian/debian/watch
@@ -1,3 +1,3 @@
version=3
opts=dversionmangle=s/~rc/-rc/ \
- http://www.example.com/software/foo/ .*/foo-([^-]+)\.tar\.gz
+ https://www.example.com/software/foo/ .*/foo-([^-]+)\.tar\.gz
diff --git a/t/tests/watch-file-pubkey-missing/desc b/t/tests/watch-file-pubkey-missing/desc
index 4d162a6..41d6c6e 100644
--- a/t/tests/watch-file-pubkey-missing/desc
+++ b/t/tests/watch-file-pubkey-missing/desc
@@ -2,4 +2,6 @@ Testname: watch-file-pubkey-missing
Type: non-native
Version: 1+dfsg-1
Description: Watch file if verify signature should check d/upstream/signing-key.{pgp,asc}
-Test-For: debian-watch-file-pubkey-file-is-missing
+Test-For:
+ debian-watch-file-pubkey-file-is-missing
+ debian-watch-uses-insecure-uri
diff --git a/t/tests/watch-file-pubkey-missing/tags b/t/tests/watch-file-pubkey-missing/tags
index c3b1f0d..58ec471 100644
--- a/t/tests/watch-file-pubkey-missing/tags
+++ b/t/tests/watch-file-pubkey-missing/tags
@@ -1 +1,2 @@
E: watch-file-pubkey-missing source: debian-watch-file-pubkey-file-is-missing
+I: watch-file-pubkey-missing source: debian-watch-uses-insecure-uri line 3
diff --git a/t/tests/watch-file-should-mangle/debian/debian/watch b/t/tests/watch-file-should-mangle/debian/debian/watch
index 0032647..6cc9db4 100644
--- a/t/tests/watch-file-should-mangle/debian/debian/watch
+++ b/t/tests/watch-file-should-mangle/debian/debian/watch
@@ -2,10 +2,10 @@
# package version number.
version=2
-http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz debian uupdate
+https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz debian uupdate
# version mangling is not needed in this case:
-http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 0.24 uupdate
+https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 0.24 uupdate
# version mangling *is* needed in this case:
-http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz
+https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz
diff --git a/t/tests/watch-file-template/desc b/t/tests/watch-file-template/desc
index 0b56374..93c5332 100644
--- a/t/tests/watch-file-template/desc
+++ b/t/tests/watch-file-template/desc
@@ -2,4 +2,6 @@ Testname: watch-file-template
Type: non-native
Version: 1.0-1
Description: Test for dh_make(1) templates
-Test-For: debian-watch-contains-dh_make-template
+Test-For:
+ debian-watch-contains-dh_make-template
+ debian-watch-uses-insecure-uri
diff --git a/t/tests/watch-file-template/tags b/t/tests/watch-file-template/tags
index f6885fd..4b43de1 100644
--- a/t/tests/watch-file-template/tags
+++ b/t/tests/watch-file-template/tags
@@ -1 +1,2 @@
I: watch-file-template source: debian-watch-contains-dh_make-template
+I: watch-file-template source: debian-watch-uses-insecure-uri line 3
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: