Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Control: tags -1 = pending Holger Levsen writes: > On Wed, Aug 23, 2017 at 09:20:39PM -0700, Russ Allbery wrote: >> --- a/policy/ch-controlfields.rst >> +++ b/policy/ch-controlfields.rst >> @@ -962,6 +962,10 @@ repository where the Debian source package is developed. >>

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Russ Allbery wrote: > Jonathan Nieder writes: >> C. You have transport-level integrity protection, e.g. by using a >> protocol like https:// or ssh:// with proper PKI. > > I think it's worth being honest with ourselves here that the proper PKI > part is not really

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Jonathan Nieder writes: > C. You have transport-level integrity protection, e.g. by using a > protocol like https:// or ssh:// with proper PKI. I think it's worth being honest with ourselves here that the proper PKI part is not really happening with the Vcs-Git field

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Russ Allbery wrote: > Jonathan Nieder writes: >> Russ Allbery wrote: >>> (That said, my understanding is that you don't get any meaningful >>> integrity protection for Git from using https over http.) >> >> As discussed elsewhere in this thread, it depends on how much you >>

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Jonathan Nieder writes: > Russ Allbery wrote: >> (That said, my understanding is that you don't get any meaningful >> integrity protection for Git from using https over http.) > As discussed elsewhere in this thread, it depends on how much you > trust (a) ca-certificates,

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Jonathan Nieder wrote: > Russ Allbery wrote: >>> On Wed, Aug 23 2017, Russ Allbery wrote: --- a/policy/ch-controlfields.rst +++ b/policy/ch-controlfields.rst @@ -962,6 +962,10 @@ repository where the Debian source package is developed. More than one different

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Russ Allbery wrote: > Sean Whitton writes: >> On Wed, Aug 23 2017, Russ Allbery wrote: >>> --- a/policy/ch-controlfields.rst >>> +++ b/policy/ch-controlfields.rst >>> @@ -962,6 +962,10 @@ repository where the Debian source package is >>> developed. >>> >>> More

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

On Wed, Aug 23, 2017 at 09:20:39PM -0700, Russ Allbery wrote: > --- a/policy/ch-controlfields.rst > +++ b/policy/ch-controlfields.rst > @@ -962,6 +962,10 @@ repository where the Debian source package is developed. > > More than one different VCS may be specified for the same package. > >

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Henrique de Moraes Holschuh writes: > On Thu, 24 Aug 2017, Sean Whitton wrote: >> Seconded, but I think the integrity protection is a more important >> reason to avoid the git protocol or http, so if we can come up with a >> further change to reflect that it would be better. >

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

On Thu, 24 Aug 2017, Sean Whitton wrote: > Seconded, but I think the integrity protection is a more important > reason to avoid the git protocol or http, so if we can come up with a > further change to reflect that it would be better. Attacking the integrity of the messages in transit requires

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Sean Whitton writes: > On Wed, Aug 23 2017, Russ Allbery wrote: >> --- a/policy/ch-controlfields.rst >> +++ b/policy/ch-controlfields.rst >> @@ -962,6 +962,10 @@ repository where the Debian source package is developed. >> >> More than one different VCS may be

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

On Wed, Aug 23 2017, Russ Allbery wrote: > --- a/policy/ch-controlfields.rst > +++ b/policy/ch-controlfields.rst > @@ -962,6 +962,10 @@ repository where the Debian source package is developed. > > More than one different VCS may be specified for the same package. > > +For both fields,

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Control: tags -1 patch Scott Kitterman writes: > On January 8, 2016 12:26:24 PM EST, Russ Allbery wrote: >> Scott Kitterman writes: >>> As is currently being discussed on #debian-devel, the git:// protocol >>> is insecure, but is

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

On January 8, 2016 12:26:24 PM EST, Russ Allbery wrote: >Scott Kitterman writes: > >> As is currently being discussed on #debian-devel, the git:// protocol >is >> insecure, but is what is normally used in Vcs-git fields in Debian >packages. > >> For git,

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Package: debian-policy Severity: important Tags: patch As is currently being discussed on #debian-devel, the git:// protocol is insecure, but is what is normally used in Vcs-git fields in Debian packages. For git, it would be far better to used https://, but I don't think policy is completely

Bug#810381: debian-policy: Update wording of 5.6.26 VCS-* fields to reflect the need for security

Scott Kitterman writes: > As is currently being discussed on #debian-devel, the git:// protocol is > insecure, but is what is normally used in Vcs-git fields in Debian packages. > For git, it would be far better to used https://, but I don't think policy is > completely