Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

[Russ Allbery <rra@debian.org>]

Control: tags -1 = pending

Holger Levsen <holger@layer-acht.org> writes:
> On Wed, Aug 23, 2017 at 09:20:39PM -0700, Russ Allbery wrote:

>> --- a/policy/ch-controlfields.rst
>> +++ b/policy/ch-controlfields.rst
>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>  
>>      More than one different VCS may be specified for the same package.
>>  
>> +For both fields, any URLs given should use a scheme that provides
>> +confidentiality (``https``, for example, rather than ``http`` or ``git``)
>> +if the VCS repository supports it.

> seconded, though I wouldnt mind a rewording to "…a scheme with better
> confidentiallity…" ot some such. but then, the important bit is that we
> recommend https here…

I've gone ahead and applied this version of the wording for the next
release, since this was the one that got two seconds.  The fine
distinctions between confidentiality, more confidentiality, integrity
protection, or distinctions between the protocol or how it's deployed
degraded, in retrospect, into bikeshed painting, and I don't think they
are going to matter to the typical Policy reader.

Y'all should feel free to object if this really doesn't seem like good
wording.  :)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>