Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
- To: Scott Kitterman <debian@kitterman.com>
- Cc: 810381@bugs.debian.org
- Subject: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
- From: Russ Allbery <rra@debian.org>
- Date: Wed, 23 Aug 2017 21:20:39 -0700
- Message-id: <[🔎] 8760ddk354.fsf@hope.eyrie.org>
- Reply-to: Russ Allbery <rra@debian.org>, 810381@bugs.debian.org
- In-reply-to: <89C67432-0788-42A0-AFE7-5F987306BD58@kitterman.com> (Scott Kitterman's message of "Fri, 08 Jan 2016 13:41:00 -0500")
- References: <20160108162332.15659.58769.reportbug@kitterma-E6430> <87mvsgkmnz.fsf@hope.eyrie.org> <89C67432-0788-42A0-AFE7-5F987306BD58@kitterman.com> <20160108162332.15659.58769.reportbug@kitterma-E6430>
Control: tags -1 patch
Scott Kitterman <debian@kitterman.com> writes:
> On January 8, 2016 12:26:24 PM EST, Russ Allbery <rra@debian.org> wrote:
>> Scott Kitterman <debian@kitterman.com> writes:
>>> As is currently being discussed on #debian-devel, the git:// protocol
>>> is insecure, but is what is normally used in Vcs-git fields in Debian
>>> packages.
>>> For git, it would be far better to used https://, but I don't think
>>> policy is completely clear that is OK since it says to use the
>>> "version control system's conventional syntax". For git, that's
>>> arguably git:// even though it's a security risk.
>>> Please see the attached patch. Although the diff is slightly noisy,
>>> the patch only adds one word.
>> I would rather add a new sentence saying that ideally the URL should
>> use a secure transport mechanism. Right now, with this rephrasing, it
>> sort of implies that if there's no encrypted transport, you shouldn't
>> use this field. It used to be that serving Git over HTTPS was a huge
>> pain and disabled a bunch of features, so some folks may just not have
>> bothered to ever set that up.
> Sounds good to me. My proposal was an attempt at a minimal change. I
> think what you're suggesting is better.
Here's a proposed diff for this. I avoided using the ambiguous term
"secure" in favor of "confidentiality," which I think is the security
property we're aiming for here. ("Integrity protection" is even more
desirable, but confuses matters since the Git protocol does arguably
provide that even over git:// and Git repositories can provide that other
ways, such as with signed tags.)
Seconds?
--- a/policy/ch-controlfields.rst
+++ b/policy/ch-controlfields.rst
@@ -962,6 +962,10 @@ repository where the Debian source package is developed.
More than one different VCS may be specified for the same package.
+For both fields, any URLs given should use a scheme that provides
+confidentiality (``https``, for example, rather than ``http`` or ``git``)
+if the VCS repository supports it.
+
.. _s-f-Package-List:
``Package-List``
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: