Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

To: Sean Whitton <spwhitton@spwhitton.name>
Cc: 810381@bugs.debian.org
Subject: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
From: Russ Allbery <rra@debian.org>
Date: Thu, 24 Aug 2017 14:49:39 -0700
Message-id: <[🔎] 87inhcljpo.fsf@hope.eyrie.org>
Reply-to: Russ Allbery <rra@debian.org>, 810381@bugs.debian.org
In-reply-to: <[🔎] 87valcadlu.fsf@iris.silentflame.com> (Sean Whitton's message of "Thu, 24 Aug 2017 13:57:01 -0700")
References: <20160108162332.15659.58769.reportbug@kitterma-E6430> <87mvsgkmnz.fsf@hope.eyrie.org> <89C67432-0788-42A0-AFE7-5F987306BD58@kitterman.com> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 8760ddk354.fsf@hope.eyrie.org> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 87valcadlu.fsf@iris.silentflame.com> <20160108162332.15659.58769.reportbug@kitterma-E6430>

Sean Whitton <spwhitton@spwhitton.name> writes:
> On Wed, Aug 23 2017, Russ Allbery wrote:

>> --- a/policy/ch-controlfields.rst
>> +++ b/policy/ch-controlfields.rst
>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>  
>>      More than one different VCS may be specified for the same package.
>>  
>> +For both fields, any URLs given should use a scheme that provides
>> +confidentiality (``https``, for example, rather than ``http`` or ``git``)
>> +if the VCS repository supports it.
>> +
>>  .. _s-f-Package-List:
>>  
>>  ``Package-List``

> Seconded, but I think the integrity protection is a more important
> reason to avoid the git protocol or http, so if we can come up with a
> further change to reflect that it would be better.

Maybe I should just say:

    a scheme that provides confidentiality and integrity protection

I think I was over-thinking it.

(That said, my understanding is that you don't get any meaningful
integrity protection for Git from using https over http.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Jonathan Nieder <jrnieder@gmail.com>

References:
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Russ Allbery <rra@debian.org>
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Bug#682347: mark 'editor' virtual package name as obsolete
Next by Date: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Previous by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Next by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Index(es):
- Date
- Thread