Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

[Scott Kitterman <debian@kitterman.com>]

Package: debian-policy
Severity: important
Tags: patch

As is currently being discussed on #debian-devel, the git:// protocol is
insecure, but is what is normally used in Vcs-git fields in Debian packages.

For git, it would be far better to used https://, but I don't think policy is
completely clear that is OK since it says to use the "version control system's
conventional syntax".  For git, that's arguably git:// even though it's a
security risk.

Please see the attached patch.  Although the diff is slightly noisy, the patch
only adds one word.

Scott K

--- policy.txt.old	2016-01-08 11:17:29.734078678 -0500
+++ policy.txt.new	2016-01-08 11:19:09.050083170 -0500
@@ -2774,11 +2774,11 @@
      `Vcs-Arch', `Vcs-Bzr' (Bazaar), `Vcs-Cvs', `Vcs-Darcs', `Vcs-Git',
      `Vcs-Hg' (Mercurial), `Vcs-Mtn' (Monotone), `Vcs-Svn' (Subversion)
           The field name identifies the VCS.  The field's value uses the
-          version control system's conventional syntax for describing
-          repository locations and should be sufficient to locate the
-          repository used for packaging.  Ideally, it also locates the
-          branch used for development of new versions of the Debian
-          package.
+          version control system's conventional syntax for securely
+          describing repository locations and should be sufficient to
+          locate the repository used for packaging.  Ideally, it also 
+          locates the branch used for development of new versions of the
+          Debian package.
 
           In the case of Git, the value consists of a URL, optionally
           followed by the word `-b' and the name of a branch in the