Bug#849514: lintian: Add homepage-uses-insecure-uri tag (HTTP uri in Homepage field)

To: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 849514@bugs.debian.org, Chris Lamb <lamby@debian.org>
Cc: Emanuel Bronshtein <e3amn2l@gmx.com>
Subject: Bug#849514: lintian: Add homepage-uses-insecure-uri tag (HTTP uri in Homepage field)
From: Axel Beckert <abe@debian.org>
Date: Sun, 19 Nov 2017 17:50:26 +0100
Message-id: <[🔎] 20171119165026.GA24589@sym.noone.org>
Reply-to: Axel Beckert <abe@debian.org>, 849514@bugs.debian.org
In-reply-to: <1482955208@msgid.manchmal.in-ulm.de>
References: <20161228025524.8512.45962.reportbug@emanuel-VirtualBox> <1482955208@msgid.manchmal.in-ulm.de> <20161228025524.8512.45962.reportbug@emanuel-VirtualBox>

Hi,

Christoph Biedl wrote:
> > Homepage field can point to HTTP uri, for example (from: https://sources.debian.net/src/libreoffice/1:5.2.4-2/debian/control/?hl=191#L191):
> > 	Homepage: http://www.libreoffice.org
> > while HTTPS is available for the domain: https://www.libreoffice.org

IMHO this is something where Lintian is not the right place: Far too
many false positives for those who don't have HTTPS. So I'not really
happy about Chris having implemented this already now.

And for those which already provide HTTPS and the Homepage header (or
any other URL in packaging) we already have DUCK
(https://packages.qa.debian.org/duck + http://duck.debian.net/) for
it. (Interestingly, https://duck.debian.net/ does not work. :-)

> Eh, I was just about to suggest the same. I would however rather ship a
> list of hosts that are known to offer the service on https, too.

That's probably unmaintainable, except for a few big site (GitHub,
MetaCPAN, etc.). Then again, it indeed would make sense for those as
those probably take up a big percentage of all Homepage headers.

(JFTR: SF reverted their HTTPS for project web sites. It still works,
but redirects to HTTP. *sigh*)

> For those the message would be "warning". For anything else it was
> rather a carefully worded recommendation as in "please check whether
> that host is accessible using https, too", and severity "pedantic".

Severity and certainty in Lintian are currently static and a tag can't
have different severities depending on how severe the case is.

> And there are more places here lintian could check for such URLs: The
> DEP-3 header in debian/patches/, most notably Bug-Debian:,

Indeed. That's a place where Lintian could emit warnings with high
certainties without having to check the site itself (which it won't do
anyways, but what we have DUCK for).

> and the format description in dep-5 debian/copyright.

I thought, it already does. But checking
https://lintian.debian.org/tags.html I found no such tag on a quick
glance. So I'm probably used to DUCK reporting it to me.

So IMHO we shouldn't generally warn about upstream URLs not using
HTTPS. We though should do that for Debian hosts where we know that
HTTPS is on or even is redirected to, like e.g. the BTS, Wiki and
Alioth.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#849514: lintian: Add homepage-uses-insecure-uri tag (HTTP uri in Homepage field)
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Bug#880430: lintian: check for invalid arguments to dpkg-maintscript-helper
Next by Date: Bug#882154: lintian: Raise level for -dbg packages
Previous by thread: Processed: Re: lintian: Add homepage-uses-insecure-uri tag (HTTP uri in Homepage field)
Next by thread: Bug#849514: lintian: Add homepage-uses-insecure-uri tag (HTTP uri in Homepage field)
Index(es):
- Date
- Thread