Control: tags -1 = pending
Holger Levsen writes:
> On Wed, Aug 23, 2017 at 09:20:39PM -0700, Russ Allbery wrote:
>> --- a/policy/ch-controlfields.rst
>> +++ b/policy/ch-controlfields.rst
>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>
Russ Allbery wrote:
> Jonathan Nieder writes:
>> C. You have transport-level integrity protection, e.g. by using a
>> protocol like https:// or ssh:// with proper PKI.
>
> I think it's worth being honest with ourselves here that the proper PKI
> part is not really
Jonathan Nieder writes:
> C. You have transport-level integrity protection, e.g. by using a
> protocol like https:// or ssh:// with proper PKI.
I think it's worth being honest with ourselves here that the proper PKI
part is not really happening with the Vcs-Git field
Russ Allbery wrote:
> Jonathan Nieder writes:
>> Russ Allbery wrote:
>>> (That said, my understanding is that you don't get any meaningful
>>> integrity protection for Git from using https over http.)
>>
>> As discussed elsewhere in this thread, it depends on how much you
>>
Jonathan Nieder writes:
> Russ Allbery wrote:
>> (That said, my understanding is that you don't get any meaningful
>> integrity protection for Git from using https over http.)
> As discussed elsewhere in this thread, it depends on how much you
> trust (a) ca-certificates,
Jonathan Nieder wrote:
> Russ Allbery wrote:
>>> On Wed, Aug 23 2017, Russ Allbery wrote:
--- a/policy/ch-controlfields.rst
+++ b/policy/ch-controlfields.rst
@@ -962,6 +962,10 @@ repository where the Debian source package is
developed.
More than one different
Russ Allbery wrote:
> Sean Whitton writes:
>> On Wed, Aug 23 2017, Russ Allbery wrote:
>>> --- a/policy/ch-controlfields.rst
>>> +++ b/policy/ch-controlfields.rst
>>> @@ -962,6 +962,10 @@ repository where the Debian source package is
>>> developed.
>>>
>>> More
On Wed, Aug 23, 2017 at 09:20:39PM -0700, Russ Allbery wrote:
> --- a/policy/ch-controlfields.rst
> +++ b/policy/ch-controlfields.rst
> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>
> More than one different VCS may be specified for the same package.
>
>
Henrique de Moraes Holschuh writes:
> On Thu, 24 Aug 2017, Sean Whitton wrote:
>> Seconded, but I think the integrity protection is a more important
>> reason to avoid the git protocol or http, so if we can come up with a
>> further change to reflect that it would be better.
>
On Thu, 24 Aug 2017, Sean Whitton wrote:
> Seconded, but I think the integrity protection is a more important
> reason to avoid the git protocol or http, so if we can come up with a
> further change to reflect that it would be better.
Attacking the integrity of the messages in transit requires
Sean Whitton writes:
> On Wed, Aug 23 2017, Russ Allbery wrote:
>> --- a/policy/ch-controlfields.rst
>> +++ b/policy/ch-controlfields.rst
>> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>>
>> More than one different VCS may be
On Wed, Aug 23 2017, Russ Allbery wrote:
> --- a/policy/ch-controlfields.rst
> +++ b/policy/ch-controlfields.rst
> @@ -962,6 +962,10 @@ repository where the Debian source package is developed.
>
> More than one different VCS may be specified for the same package.
>
> +For both fields,
Control: tags -1 patch
Scott Kitterman writes:
> On January 8, 2016 12:26:24 PM EST, Russ Allbery wrote:
>> Scott Kitterman writes:
>>> As is currently being discussed on #debian-devel, the git:// protocol
>>> is insecure, but is
On January 8, 2016 12:26:24 PM EST, Russ Allbery wrote:
>Scott Kitterman writes:
>
>> As is currently being discussed on #debian-devel, the git:// protocol
>is
>> insecure, but is what is normally used in Vcs-git fields in Debian
>packages.
>
>> For git,
Package: debian-policy
Severity: important
Tags: patch
As is currently being discussed on #debian-devel, the git:// protocol is
insecure, but is what is normally used in Vcs-git fields in Debian packages.
For git, it would be far better to used https://, but I don't think policy is
completely
Scott Kitterman writes:
> As is currently being discussed on #debian-devel, the git:// protocol is
> insecure, but is what is normally used in Vcs-git fields in Debian packages.
> For git, it would be far better to used https://, but I don't think policy is
> completely
16 matches
Mail list logo