Package: debian-policy
Severity: important
Tags: patch
As is currently being discussed on #debian-devel, the git:// protocol is
insecure, but is what is normally used in Vcs-git fields in Debian packages.
For git, it would be far better to used https://, but I don't think policy is
completely clear that is OK since it says to use the "version control system's
conventional syntax". For git, that's arguably git:// even though it's a
security risk.
Please see the attached patch. Although the diff is slightly noisy, the patch
only adds one word.
Scott K
--- policy.txt.old 2016-01-08 11:17:29.734078678 -0500
+++ policy.txt.new 2016-01-08 11:19:09.050083170 -0500
@@ -2774,11 +2774,11 @@
`Vcs-Arch', `Vcs-Bzr' (Bazaar), `Vcs-Cvs', `Vcs-Darcs', `Vcs-Git',
`Vcs-Hg' (Mercurial), `Vcs-Mtn' (Monotone), `Vcs-Svn' (Subversion)
The field name identifies the VCS. The field's value uses the
- version control system's conventional syntax for describing
- repository locations and should be sufficient to locate the
- repository used for packaging. Ideally, it also locates the
- branch used for development of new versions of the Debian
- package.
+ version control system's conventional syntax for securely
+ describing repository locations and should be sufficient to
+ locate the repository used for packaging. Ideally, it also
+ locates the branch used for development of new versions of the
+ Debian package.
In the case of Git, the value consists of a URL, optionally
followed by the word `-b' and the name of a branch in the
