Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

To: 810381@bugs.debian.org
Subject: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Thu, 31 Aug 2017 14:50:01 -0700
Message-id: <[🔎] 20170831215001.GA30568@aiede.mtv.corp.google.com>
Reply-to: Jonathan Nieder <jrnieder@gmail.com>, 810381@bugs.debian.org
In-reply-to: <[🔎] 87inhcljpo.fsf@hope.eyrie.org>
References: <20160108162332.15659.58769.reportbug@kitterma-E6430> <87mvsgkmnz.fsf@hope.eyrie.org> <89C67432-0788-42A0-AFE7-5F987306BD58@kitterman.com> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 8760ddk354.fsf@hope.eyrie.org> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 87valcadlu.fsf@iris.silentflame.com> <20160108162332.15659.58769.reportbug@kitterma-E6430> <[🔎] 87inhcljpo.fsf@hope.eyrie.org> <20160108162332.15659.58769.reportbug@kitterma-E6430>

Russ Allbery wrote:
> Sean Whitton <spwhitton@spwhitton.name> writes:
>> On Wed, Aug 23 2017, Russ Allbery wrote:

>>> --- a/policy/ch-controlfields.rst
>>> +++ b/policy/ch-controlfields.rst
>>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>> 
>>>      More than one different VCS may be specified for the same package.
>>> 
>>> +For both fields, any URLs given should use a scheme that provides
>>> +confidentiality (``https``, for example, rather than ``http`` or ``git``)
>>> +if the VCS repository supports it.
>>> +
>>>  .. _s-f-Package-List:
>>> 
>>>  ``Package-List``
[...]
> Maybe I should just say:
>
>     a scheme that provides confidentiality and integrity protection

Seconded.

> I think I was over-thinking it.
>
> (That said, my understanding is that you don't get any meaningful
> integrity protection for Git from using https over http.)

As discussed elsewhere in this thread, it depends on how much you
trust (a) ca-certificates, versus (b) DNS.

The ideal is to use signed tags and check them.  (Or even better, to
work with git upstream to get push certs distributed properly and
check those.)

It would be nice to get something like chromium's certificate pinning
into curl, but that's a separate topic.

Thanks,
Jonathan

Reply to:

Follow-Ups:
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Jonathan Nieder <jrnieder@gmail.com>

References:
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Russ Allbery <rra@debian.org>
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Processed: tagging 873819
Next by Date: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Previous by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Next by thread: Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
Index(es):
- Date
- Thread