On Wed, Aug 23 2017, Russ Allbery wrote: > --- a/policy/ch-controlfields.rst > +++ b/policy/ch-controlfields.rst > @@ -962,6 +962,10 @@ repository where the Debian source package is developed. > > More than one different VCS may be specified for the same package. > > +For both fields, any URLs given should use a scheme that provides > +confidentiality (``https``, for example, rather than ``http`` or ``git``) > +if the VCS repository supports it. > + > .. _s-f-Package-List: > > ``Package-List``
Seconded, but I think the integrity protection is a more important reason to avoid the git protocol or http, so if we can come up with a further change to reflect that it would be better. -- Sean Whitton
signature.asc
Description: PGP signature
