Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Andreas Tille <tille@debian.org>]

Hi Chris,

On Sat, Apr 28, 2018 at 08:31:40AM +0100, Chris Lamb wrote:
> > I: seaview source: debian-watch-uses-insecure-uri 
> > ftp://pbil.univ-lyon1.fr/pub/ […]
> > 
> > Since there is no anonymous secure ftp this info is not very helpful
> > IMHO.
> 
> Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
> I'm missing something here?

This answer is targeting in the same direction as Paul's response.

My understanding of the lintian issue was to make maintainers verify
whether their watch files will work with https instead of http as well.
This way I fixed several watch files but if I realised that the watch
file does not work after a simple s/http:/https:/ (usually resulting in
an error 503) I reverted the change.

With this understanding I never had a reason to look into ftp: based
watch files.

I agree that if the intention is not to encourage the maintainer to
try a s/http:/https:/ but rather contact upstream the lintian warning
is fine but may be the text should be more explicit:

   Please contact upstream and point them to <useful URL> how to
   change their download method.
 
> Fixing this issue would essentially involve marking "ftp://"; as a
> secure protocol which is obviously not the case...

Definitely not.  May be the lintian warning should be more explicit
and say:

  d/watch is pointing to an ftp download location.  Downloading
  from ftp sites is considered insecure when not using ftp over
  TLS.

Kind regards

      Andreas. 

-- 
http://fam-tille.de