tags 826694 pending thanks Fixed in repo, commit 54f05beb90124bba1005f4ef5a6e84de4a71b43d
Bye, Simon Am 2016-06-08 um 02:25 schrieb Axel Beckert: > Package: duck > Version: 0.9 > Severity: normal > > Dear Maintainer, > > http://repo.or.cz/ is one of the earliest if not the earliest free Git > hoster. > > Some Debian packages refer to code hosted on that website. > > The website is also reachable at http://repo.or.cz/, hence duck argues > about not using HTTPS: > > I: debian/control: Vcs-Browser: http://repo.or.cz/w/conkeror.git: INFORMATION > (Certainty:certain) > The web page at http://repo.or.cz/w/conkeror.git works, but is also > available via https://repo.or.cz/w/conkeror.git, please consider switching to > HTTPS urls. > > I: debian/copyright:4: URL: http://repo.or.cz/w/conkeror.git: INFORMATION > (Certainty:possible) > The web page at http://repo.or.cz/w/conkeror.git works, but is also > available via https://repo.or.cz/w/conkeror.git, please consider switching to > HTTPS urls. > > But it uses a self-signed SSL certificate for HTTPS and hence the > suggested URLs causes a fat warning in every web browser and also in > OpenSSL: > > $ echo QUIT | openssl s_client -connect repo.or.cz:443 | openssl x509 -in > /dev/stdin -noout -text > depth=1 serialNumber = > 6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7, CN = girocco > rorcz root certificate > verify error:num=19:self signed certificate in certificate chain > DONE > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 36:27:b4:05:67:14:75:a2:bd:e1:e6:9f:61:ea:48:53:de:48:a6:e8 > Signature Algorithm: sha256WithRSAEncryption > Issuer: > serialNumber=6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7, > CN=girocco rorcz root certificate > Validity > Not Before: Aug 11 00:00:00 1997 GMT > Not After : Dec 31 23:59:59 9999 GMT > Subject: CN=repo.or.cz > […] > > IMHO, duck should only suggest to switch to HTTPS if the used SSL > certificate can be verified by the SSL certificates shipped in the > package ca-certificates. Probably for local runs of duck, only those > certificates should be taken into account, which are verifiable by > _enabled_ certificates from ca-certificates. > > It's probably debatable if sites with SSL certificates verifiable with > the package ca-cacert installed or sites with a self-signed certificate > verifiable via TLSA/DANE should cause such a warning or not. I tend to > say no here, too. > > -- System Information: > Debian Release: stretch/sid > Architecture: amd64 (x86_64) > > Kernel: Linux 4.6.0-trunk-amd64 (SMP w/8 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: sysvinit (via /sbin/init) > > Versions of packages duck depends on: > ii devscripts 2.16.5 > ii dpkg-dev 1.18.7 > ii libconfig-inifiles-perl 2.89-1 > ii libconfig-simple-perl 4.59-6 > ii libdomain-publicsuffix-perl 0.10-1 > ii libfile-which-perl 1.21-1 > ii libmailtools-perl 2.13-1 > ii libnet-dns-perl 1.05-2 > ii libparse-debcontrol-perl 2.005-4 > ii libpath-class-perl 0.36-1 > ii libregexp-common-email-address-perl 1.01-4 > ii libregexp-common-perl 2016060201-1 > ii libstring-similarity-perl 1.04-1+b3 > ii libwww-curl-perl 4.17-2+b1 > ii libxml-xpath-perl 1.36-1 > ii libyaml-libyaml-perl 0.41-6+b1 > ii lynx 2.8.9dev9-1 > ii perl 5.22.2-1 > ii publicsuffix 20160525-1 > > duck recommends no packages. > > Versions of packages duck suggests: > ii bzr 2.7.0-7 > ii git 1:2.8.1-1 > ii mercurial 3.8.3-1 > ii subversion 1.9.4-1 > > -- no debconf information >
