Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
On January 8, 2016 12:26:24 PM EST, Russ Allbery <rra@debian.org> wrote:
>Scott Kitterman <debian@kitterman.com> writes:
>
>> As is currently being discussed on #debian-devel, the git:// protocol
>is
>> insecure, but is what is normally used in Vcs-git fields in Debian
>packages.
>
>> For git, it would be far better to used https://, but I don't think
>policy is
>> completely clear that is OK since it says to use the "version control
>system's
>> conventional syntax". For git, that's arguably git:// even though
>it's a
>> security risk.
>
>> Please see the attached patch. Although the diff is slightly noisy,
>the patch
>> only adds one word.
>
>I would rather add a new sentence saying that ideally the URL should
>use a
>secure transport mechanism. Right now, with this rephrasing, it sort
>of
>implies that if there's no encrypted transport, you shouldn't use this
>field. It used to be that serving Git over HTTPS was a huge pain and
>disabled a bunch of features, so some folks may just not have bothered
>to
>ever set that up.
Sounds good to me. My proposal was an attempt at a minimal change. I think what you're suggesting is better.
Scott K
Reply to: