On January 8, 2016 12:26:24 PM EST, Russ Allbery <r...@debian.org> wrote: >Scott Kitterman <deb...@kitterman.com> writes: > >> As is currently being discussed on #debian-devel, the git:// protocol >is >> insecure, but is what is normally used in Vcs-git fields in Debian >packages. > >> For git, it would be far better to used https://, but I don't think >policy is >> completely clear that is OK since it says to use the "version control >system's >> conventional syntax". For git, that's arguably git:// even though >it's a >> security risk. > >> Please see the attached patch. Although the diff is slightly noisy, >the patch >> only adds one word. > >I would rather add a new sentence saying that ideally the URL should >use a >secure transport mechanism. Right now, with this rephrasing, it sort >of >implies that if there's no encrypted transport, you shouldn't use this >field. It used to be that serving Git over HTTPS was a huge pain and >disabled a bunch of features, so some folks may just not have bothered >to >ever set that up.
Sounds good to me. My proposal was an attempt at a minimal change. I think what you're suggesting is better. Scott K
