Hi, Christoph Biedl wrote: > > Homepage field can point to HTTP uri, for example (from: https://sources.debian.net/src/libreoffice/1:5.2.4-2/debian/control/?hl=191#L191): > > Homepage: http://www.libreoffice.org > > while HTTPS is available for the domain: https://www.libreoffice.org IMHO this is something where Lintian is not the right place: Far too many false positives for those who don't have HTTPS. So I'not really happy about Chris having implemented this already now. And for those which already provide HTTPS and the Homepage header (or any other URL in packaging) we already have DUCK (https://packages.qa.debian.org/duck + http://duck.debian.net/) for it. (Interestingly, https://duck.debian.net/ does not work. :-) > Eh, I was just about to suggest the same. I would however rather ship a > list of hosts that are known to offer the service on https, too. That's probably unmaintainable, except for a few big site (GitHub, MetaCPAN, etc.). Then again, it indeed would make sense for those as those probably take up a big percentage of all Homepage headers. (JFTR: SF reverted their HTTPS for project web sites. It still works, but redirects to HTTP. *sigh*) > For those the message would be "warning". For anything else it was > rather a carefully worded recommendation as in "please check whether > that host is accessible using https, too", and severity "pedantic". Severity and certainty in Lintian are currently static and a tag can't have different severities depending on how severe the case is. > And there are more places here lintian could check for such URLs: The > DEP-3 header in debian/patches/, most notably Bug-Debian:, Indeed. That's a place where Lintian could emit warnings with high certainties without having to check the site itself (which it won't do anyways, but what we have DUCK for). > and the format description in dep-5 debian/copyright. I thought, it already does. But checking https://lintian.debian.org/tags.html I found no such tag on a quick glance. So I'm probably used to DUCK reporting it to me. So IMHO we shouldn't generally warn about upstream URLs not using HTTPS. We though should do that for Debian hosts where we know that HTTPS is on or even is redirected to, like e.g. the BTS, Wiki and Alioth. Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Attachment:
signature.asc
Description: Digital signature