Bug#810381: marked as done (Update wording of 5.6.26 VCS-* fields to recommend encryption)

To: Sean Whitton <spwhitton@spwhitton.name>
Subject: Bug#810381: marked as done (Update wording of 5.6.26 VCS-* fields to recommend encryption)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 27 Dec 2017 22:51:15 +0000
Message-id: <[🔎] handler.810381.D810381.15144149292603.ackdone@bugs.debian.org>
Reply-to: 810381@bugs.debian.org
References: <E1eUKVB-000Dqn-C8@fasolo.debian.org> <20160108162332.15659.58769.reportbug@kitterma-E6430>

Your message dated Wed, 27 Dec 2017 22:48:45 +0000
with message-id <E1eUKVB-000Dqn-C8@fasolo.debian.org>
and subject line Bug#810381: fixed in debian-policy 4.1.3.0
has caused the Debian Bug report #810381,
regarding Update wording of 5.6.26 VCS-* fields to recommend encryption
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
810381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810381
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security
From: Scott Kitterman <debian@kitterman.com>
Date: Fri, 08 Jan 2016 11:23:32 -0500
Message-id: <20160108162332.15659.58769.reportbug@kitterma-E6430>

Package: debian-policy
Severity: important
Tags: patch

As is currently being discussed on #debian-devel, the git:// protocol is
insecure, but is what is normally used in Vcs-git fields in Debian packages.

For git, it would be far better to used https://, but I don't think policy is
completely clear that is OK since it says to use the "version control system's
conventional syntax".  For git, that's arguably git:// even though it's a
security risk.

Please see the attached patch.  Although the diff is slightly noisy, the patch
only adds one word.

Scott K

--- policy.txt.old	2016-01-08 11:17:29.734078678 -0500
+++ policy.txt.new	2016-01-08 11:19:09.050083170 -0500
@@ -2774,11 +2774,11 @@
      `Vcs-Arch', `Vcs-Bzr' (Bazaar), `Vcs-Cvs', `Vcs-Darcs', `Vcs-Git',
      `Vcs-Hg' (Mercurial), `Vcs-Mtn' (Monotone), `Vcs-Svn' (Subversion)
           The field name identifies the VCS.  The field's value uses the
-          version control system's conventional syntax for describing
-          repository locations and should be sufficient to locate the
-          repository used for packaging.  Ideally, it also locates the
-          branch used for development of new versions of the Debian
-          package.
+          version control system's conventional syntax for securely
+          describing repository locations and should be sufficient to
+          locate the repository used for packaging.  Ideally, it also 
+          locates the branch used for development of new versions of the
+          Debian package.
 
           In the case of Git, the value consists of a URL, optionally
           followed by the word `-b' and the name of a branch in the

--- End Message ---

--- Begin Message ---

To: 810381-close@bugs.debian.org
Subject: Bug#810381: fixed in debian-policy 4.1.3.0
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Wed, 27 Dec 2017 22:48:45 +0000
Message-id: <E1eUKVB-000Dqn-C8@fasolo.debian.org>

Source: debian-policy
Source-Version: 4.1.3.0

We believe that the bug you reported is fixed in the latest version of
debian-policy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 810381@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated debian-policy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Dec 2017 22:13:55 +0000
Source: debian-policy
Binary: debian-policy
Architecture: all source
Version: 4.1.3.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Policy Editors <debian-policy@lists.debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Closes: 522163 601455 661496 688251 810381 859649 874090 874095 880992 882628 885219
Description: 
 debian-policy - Debian Policy Manual and related documents
Changes:
 debian-policy (4.1.3.0) unstable; urgency=medium
 .
   [ Sean Whitton ]
   * Policy: Add CC0-1.0 to common-licenses
     Wording: Jeremy Bicha <jbicha@debian.org>
     Seconded: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Mattia Rizzolo <mattia@debian.org>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Closes: #859649, #882628
   * Policy: Clarify when Built-Using should be used
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Russ Allbery <rra@debian.org>
     Seconded: Jonathan Nieder <jrnieder@gmail.com>
     Closes: #688251
   * Policy: Use update-rc.d's defaults-disabled instead of DISABLED=yes
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Wording: Russ Allbery <rra@debian.org>
     Seconded: Andreas Henriksson <andreas@fatal.se>
     Closes: #522163, #601455, #661496
     - Also explain how the local administrator can enable/disable
       autostarting daemons using update-rc.d.
   * Point Vcs-* fields at salsa.debian.org.
   * README: update references & URIs alioth->salsa
   * Maintainer field: "Debian Policy List"->"Debian Policy Editors"
     To match our new group on salsa.debian.org.
 .
   [ Russ Allbery ]
   * Policy: Recommend that Vcs-* URLs provide confidentiality
     Wording: Russ Allbery <rra@debian.org>
     Seconded: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Closes: #810381
   * Policy: Clarify that programs may search PATH for editor and pager
     Wording: Jonathan Nieder <jrnieder@gmail.com>
     Seconded: Russ Allbery <rra@debian.org>
     Seconded: Sean Whitton <spwhitton@spwhitton.name>
     Closes: #880992
   * Policy: Allow libc to install files in /lib64
     Wording: Russ Allbery <rra@debian.org>
     Seconded: Jonathan Nieder <jrnieder@gmail.com>
     Seconded: Sean Whitton <spwhitton@spwhitton.name>
     Closes: #885219
   * Use the term synopsis consistently in copyright-format.  Thanks, Ben
     Finney.  (Closes: #874095)
   * Fix various minor wording issues and add additional cross-references
     in copyright-format.  Thanks, Ben Finney.  (Closes: #874090)
   * Adapt tools/license-count to run against ftp-master metadata instead
     of the Lintian lab, add patterns for CC0-1.0, and add some comments on
     how to run this tool.
Checksums-Sha1: 
 05da4159044b00745b08eb6eaab3e16cd05642c8 2001 debian-policy_4.1.3.0.dsc
 8d35cfc5a8c863e523ba6e02f9f2de7c5d5b9d89 676216 debian-policy_4.1.3.0.tar.xz
 f1ed62eac9c6f4fbccebc5898d927766d7f8dc01 2382244 debian-policy_4.1.3.0_all.deb
 9204463a0c2bae0737a4e1183214881006cfe974 11982 debian-policy_4.1.3.0_i386.buildinfo
Checksums-Sha256: 
 46e2da6bad32531018dece9414071cdb1ca6f541202e98b10b995917ab63b4de 2001 debian-policy_4.1.3.0.dsc
 343a6c8780cfad8444bdeae14a00464e5e8689f1d783cf49178f119346db3297 676216 debian-policy_4.1.3.0.tar.xz
 66636457413c145e6a9aba668ef6ef53fbcf86e6710df3318c7df181210e68da 2382244 debian-policy_4.1.3.0_all.deb
 586de7588896f56fba1c5fc7606c2a312d248e847a61e9a1a64d12fe4807f922 11982 debian-policy_4.1.3.0_i386.buildinfo
Files: 
 f75b8b0b837ff21a4c3e3842a77832c8 2001 doc optional debian-policy_4.1.3.0.dsc
 6b69ec9a8da76f26b7f1c61a27affd16 676216 doc optional debian-policy_4.1.3.0.tar.xz
 384e5f5082a6dc97e353dad48e726a8a 2382244 doc optional debian-policy_4.1.3.0_all.deb
 67ca8cc09b64aebfbc01ed7052d3c215 11982 doc optional debian-policy_4.1.3.0_i386.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAlpEHugACgkQaVt65L8G
YkBPMRAApf/ITvRdrBcV1oEx3OW7eWVFYr2bB+V7a5u5+MOhRFrgpalhz6OMt2hq
DksckEqJz4GOXjBj/ZlRI5a8VNtmgPwuLsY8MrlsWC9DyPmu6lPX+/HrDMnXmnR3
okXW+2ql7wdjuxBF92/WQJ4TkFHpzZcV7/o/FqDoBXw/29fMACtpZB8L5FPFkW/c
nfzMfIXmfKIi/RxQQEPnkaQ8VWHCdNkfRU6XB+qvuM/prpXEjdBtDHX/JfsNL45J
Mh+3kdo+rIvLGN1wg/+FI35eF22r9mNFlGLm1Hd01ywY2a310ubKCGd+0TDOxPfc
2u4UMaoqcQtfgT5+UzxjvYBfFO/7H02iXE9EvnaPBTmFbPHbd3YLpGTnSmguEUu6
7ABkZXibSzcptJ7iRrprtFTIXGvzB0UtMChKSGEQzk9/yj7VTFyEFH/berx8diwM
w4EqaMrSGQGN1m9Ot/CYd1DWqahZkFuLg/0eCJV3oqZBIGjSBmvwxhTTsrvikMdR
9tOU/DCGZKFGJLc1BDv4B56auDDEuvu1Yt3OEXe7JbDvzpqF1qackV37/ge1vc8d
L5WXM2NWfhh3L+PnMnRwYTxccACIwM8OGT/XpAI/Jzc3HEU4u03/Iu+UuyvxHbru
z5HgB7db1r2jPLinv9FFfpS8j443VbPx/LJua6RpJ1WpBeTymPw=
=Vzmq
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#601455: marked as done (Standardize how to disable an init script)
Next by Date: Bug#874090: marked as done (debian-policy: Clarify wording of some passages)
Previous by thread: Bug#859649: marked as done (debian-policy: Please add CC0-1.0 to common-licenses)
Next by thread: Bug#874090: marked as done (debian-policy: Clarify wording of some passages)
Index(es):
- Date
- Thread