Package: lintian Version: 2.116.3 Severity: wishlist I noticed that a few packages use ssh:// URLs for the Repository field in the upstream metadata file. These are suboptimal since the user might not have an account or might not be the person in the URL when a username is hardcoded. The vcs-field-uses-not-recommended-uri-format tag covers this problem for the Debian Vcs-* fields, but lintian does not appear to check the upstream Repository/Repository-Browse fields. https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*ssh%3A&literal=0 In addition there are some packages with insecure URLs to git repos and the vcs-field-uses-insecure-uri tag does not flag those packages yet. https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*git%3A&literal=0 I think it would be a good idea to extend all of the Vcs-* field checks to also check the upstream Repository/Repository-Browse fields too. https://wiki.debian.org/UpstreamMetadata -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part