Package: debian-policy Severity: important Tags: patch As is currently being discussed on #debian-devel, the git:// protocol is insecure, but is what is normally used in Vcs-git fields in Debian packages.
For git, it would be far better to used https://, but I don't think policy is completely clear that is OK since it says to use the "version control system's conventional syntax". For git, that's arguably git:// even though it's a security risk. Please see the attached patch. Although the diff is slightly noisy, the patch only adds one word. Scott K
--- policy.txt.old 2016-01-08 11:17:29.734078678 -0500 +++ policy.txt.new 2016-01-08 11:19:09.050083170 -0500 @@ -2774,11 +2774,11 @@ `Vcs-Arch', `Vcs-Bzr' (Bazaar), `Vcs-Cvs', `Vcs-Darcs', `Vcs-Git', `Vcs-Hg' (Mercurial), `Vcs-Mtn' (Monotone), `Vcs-Svn' (Subversion) The field name identifies the VCS. The field's value uses the - version control system's conventional syntax for describing - repository locations and should be sufficient to locate the - repository used for packaging. Ideally, it also locates the - branch used for development of new versions of the Debian - package. + version control system's conventional syntax for securely + describing repository locations and should be sufficient to + locate the repository used for packaging. Ideally, it also + locates the branch used for development of new versions of the + Debian package. In the case of Git, the value consists of a URL, optionally followed by the word `-b' and the name of a branch in the