Package: lintian Version: 2.5.67 Severity: wishlist Tags: patch X-Debbugs-CC: jcc@debian.org Dear lintian maintainers, Since policy 4.0.0, it is prefered to use HTTPS for the DEP5 copyright files' format URI; I added a check to this effect to lintian. I have not, however, added a test, as I am pretty unfamiliar with lintian internals (and Perl, for that matter). I did however test the change manually. Best, nicoo -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lintian depends on: ii binutils 2.29.1-12 ii bzip2 1.0.6-8.1 ii diffstat 1.61-1+b1 ii dpkg 1.19.0.4 ii file 1:5.32-1 ii gettext 0.19.8.1-4 ii intltool-debian 0.35.0+20060710.4 ii libapt-pkg-perl 0.1.33 ii libarchive-zip-perl 1.60-1 ii libclass-accessor-perl 0.51-1 ii libclone-perl 0.39-1 ii libdpkg-perl 1.19.0.4 ii libemail-valid-perl 1.202-1 ii libfile-basedir-perl 0.07-1 ii libipc-run-perl 0.96-1 ii liblist-moreutils-perl 0.416-1+b3 ii libparse-debianchangelog-perl 1.2.0-12 ii libperl5.26 [libdigest-sha-perl] 5.26.1-3 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii liburi-perl 1.72-2 ii libxml-simple-perl 2.24-1 ii libyaml-libyaml-perl 0.63-2+b2 ii man-db 2.7.6.1-4 ii patchutils 0.3.4-2 ii perl 5.26.1-3 ii t1utils 1.41-2 ii xz-utils 5.2.2-1.3 Versions of packages lintian recommends: pn libperlio-gzip-perl <none> Versions of packages lintian suggests: pn binutils-multiarch <none> ii dpkg-dev 1.19.0.4 ii libhtml-parser-perl 3.72-3+b2 ii libtext-template-perl 1.47-1 -- no debconf information
From 471593b7df4a4a42bc0d935c714d16d664e830d9 Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu> Date: Thu, 11 Jan 2018 13:30:10 +0100 Subject: [PATCH] checks/source-copyright: Warn on insecure format URIs --- checks/source-copyright.desc | 10 ++++++++++ checks/source-copyright.pm | 12 +++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/checks/source-copyright.desc b/checks/source-copyright.desc index 718be3030..7ce6fa019 100644 --- a/checks/source-copyright.desc +++ b/checks/source-copyright.desc @@ -48,6 +48,16 @@ Info: Format URI of the machine-readable copyright file contains <tt>VERSIONED_FORMAT_URL</tt> or <tt>REVISION</tt> string. Please replace it with an actual URI or an actual revision number respectively. +Tag: insecure-copyright-format-uri +Severity: pedantic +Certainty: possible +Ref: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Info: Format URI of the machine-readable copyright file uses plain HTTP + . + Using HTTPS is prefered since policy 4.0.0. Please use + <tt>https://www.debian.org/doc/packaging-manuals/copyright-format/<i>version</i>/</tt> + as the format URI instead. + Tag: wiki-copyright-format-uri Severity: pedantic Certainty: possible diff --git a/checks/source-copyright.pm b/checks/source-copyright.pm index c04e82a5f..703f3d597 100644 --- a/checks/source-copyright.pm +++ b/checks/source-copyright.pm @@ -86,11 +86,9 @@ sub run { return; } -# Note that we allow people to use "https://" even the -# policy says it must be "http://". It might be -# pedantically wrong, but it is not worth arguing over On -# the plus side, it gives security to people blindly -# copy-wasting the URLs using "https://". +# The policy states, since 4.0.0, that people should +# use "https://" for the format URI. This is checked +# later in check_dep5_copyright. # return undef is not dep5 and '' if unknown version sub _find_dep5_version { my ($original_uri) = @_; @@ -213,6 +211,10 @@ sub _check_dep5_copyright { my $version = _find_dep5_version($uri); + if ($uri =~ m,^http:, ) { + tag 'insecure-copyright-format-uri', $uri + } + return if !defined($version); if ($version =~ m,wiki,) { tag 'wiki-copyright-format-uri', $uri; -- 2.15.1
Attachment:
signature.asc
Description: PGP signature