Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Sean Whitton <spwhitton@spwhitton.name> writes:
> On Wed, Aug 23 2017, Russ Allbery wrote:
>> --- a/policy/ch-controlfields.rst
>> +++ b/policy/ch-controlfields.rst
>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>
>> More than one different VCS may be specified for the same package.
>>
>> +For both fields, any URLs given should use a scheme that provides
>> +confidentiality (``https``, for example, rather than ``http`` or ``git``)
>> +if the VCS repository supports it.
>> +
>> .. _s-f-Package-List:
>>
>> ``Package-List``
> Seconded, but I think the integrity protection is a more important
> reason to avoid the git protocol or http, so if we can come up with a
> further change to reflect that it would be better.
Maybe I should just say:
a scheme that provides confidentiality and integrity protection
I think I was over-thinking it.
(That said, my understanding is that you don't get any meaningful
integrity protection for Git from using https over http.)
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: