Control: tags -1 patch
Scott Kitterman <deb...@kitterman.com> writes:
> On January 8, 2016 12:26:24 PM EST, Russ Allbery <r...@debian.org> wrote:
>> Scott Kitterman <deb...@kitterman.com> writes:
>>> As is currently being discussed on #debian-devel, the git:// protocol
>>> is insecure, but is what is normally used in Vcs-git fields in Debian
>>> packages.
>>> For git, it would be far better to used https://, but I don't think
>>> policy is completely clear that is OK since it says to use the
>>> "version control system's conventional syntax". For git, that's
>>> arguably git:// even though it's a security risk.
>>> Please see the attached patch. Although the diff is slightly noisy,
>>> the patch only adds one word.
>> I would rather add a new sentence saying that ideally the URL should
>> use a secure transport mechanism. Right now, with this rephrasing, it
>> sort of implies that if there's no encrypted transport, you shouldn't
>> use this field. It used to be that serving Git over HTTPS was a huge
>> pain and disabled a bunch of features, so some folks may just not have
>> bothered to ever set that up.
> Sounds good to me. My proposal was an attempt at a minimal change. I
> think what you're suggesting is better.
Here's a proposed diff for this. I avoided using the ambiguous term
"secure" in favor of "confidentiality," which I think is the security
property we're aiming for here. ("Integrity protection" is even more
desirable, but confuses matters since the Git protocol does arguably
provide that even over git:// and Git repositories can provide that other
ways, such as with signed tags.)
Seconds?
--- a/policy/ch-controlfields.rst
+++ b/policy/ch-controlfields.rst
@@ -962,6 +962,10 @@ repository where the Debian source package is developed.
More than one different VCS may be specified for the same package.
+For both fields, any URLs given should use a scheme that provides
+confidentiality (``https``, for example, rather than ``http`` or ``git``)
+if the VCS repository supports it.
+
.. _s-f-Package-List:
``Package-List``
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
