This is an automated email from the git hooks/post-receive script. lamby pushed a commit to branch master in repository lintian.
commit c8b16ca11e4b38745b8c6e3872859a76c120eb27 Author: Chris Lamb <[email protected]> Date: Sun Oct 1 16:05:00 2017 +0100 Warn for debian/watch files using insecure URIs such as HTTP or FTP, similar to vcs-field-uses-insecure-uri. (Closes: #849515) --- checks/watch-file.desc | 7 +++++++ checks/watch-file.pm | 10 +++++----- debian/changelog | 3 +++ t/tests/watch-file-bug-765995/debian/debian/watch | 2 +- t/tests/watch-file-general/debian/debian/watch | 5 ++++- t/tests/watch-file-general/desc | 1 + t/tests/watch-file-general/tags | 3 +++ t/tests/watch-file-native/debian/debian/watch | 2 +- t/tests/watch-file-old-upstream-version/debian/debian/watch | 2 +- t/tests/watch-file-prerelease/debian/debian/watch | 2 +- t/tests/watch-file-pubkey-missing/desc | 4 +++- t/tests/watch-file-pubkey-missing/tags | 1 + t/tests/watch-file-should-mangle/debian/debian/watch | 6 +++--- t/tests/watch-file-template/desc | 4 +++- t/tests/watch-file-template/tags | 1 + 15 files changed, 38 insertions(+), 15 deletions(-) diff --git a/checks/watch-file.desc b/checks/watch-file.desc index 765efdf..af430dc 100644 --- a/checks/watch-file.desc +++ b/checks/watch-file.desc @@ -186,3 +186,10 @@ Severity: wishlist Certainty: certain Info: The watch file contains a standard template included by dh_make. Please remove them once you have implemented the watch file. + +Tag: debian-watch-uses-insecure-uri +Severity: wishlist +Certainty: certain +Info: The watch file uses an unencrypted transport protocol for the + URI. It is recommended to use a secure transport such as HTTPS for + anonymous read-only access. diff --git a/checks/watch-file.pm b/checks/watch-file.pm index 629cad7..5a8fb91 100644 --- a/checks/watch-file.pm +++ b/checks/watch-file.pm @@ -121,15 +121,13 @@ sub run { if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/; } } + if (m%qa\.debian\.org/watch/sf\.php\?%) { tag 'debian-watch-file-uses-deprecated-sf-redirector-method', "line $."; - } - if (m%githubredir\.debian\.net%) { + } elsif (m%githubredir\.debian\.net%) { tag 'debian-watch-file-uses-deprecated-githubredir',"line $."; - } - - if ( + } elsif ( m{ (?:https?|ftp):// (?:(?:.+\.)?dl|(?:pr)?downloads?|ftp\d?|upload) \. (?:sourceforge|sf)\.net}xsm @@ -139,6 +137,8 @@ sub run { /projects/.+/files}xsm ) { tag 'debian-watch-file-should-use-sf-redirector', "line $."; + } elsif (m%(?:http|ftp):%) { + tag 'debian-watch-uses-insecure-uri',"line $."; } # This bit is as-is from uscan.pl: diff --git a/debian/changelog b/debian/changelog index 56fb352..34d4198 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,9 @@ lintian (2.5.55) UNRELEASED; urgency=medium (Closes: #877142) + [NT] Apply patch from Mattia Rizzolo to improve the tag description for script-uses-deprecated-nodejs-location. + * checks/watch-file.{pm,desc}: + + [CL] Warn for debian/watch files using insecure URIs such as HTTP or + FTP, similar to vcs-field-uses-insecure-uri. (Closes: #849515) * commands/lintian.pm: + [NT] Simplify handling of uncaught exceptions. diff --git a/t/tests/watch-file-bug-765995/debian/debian/watch b/t/tests/watch-file-bug-765995/debian/debian/watch index fd32869..6f30e20 100644 --- a/t/tests/watch-file-bug-765995/debian/debian/watch +++ b/t/tests/watch-file-bug-765995/debian/debian/watch @@ -1,4 +1,4 @@ version=3 # Trailing whitespace and missing continuation backslash intentional! opts=pgpsigurlmangle=s/$/.asc/ -http://www.example.com/Downloads/code-(.+)code\.zip +https://www.example.com/Downloads/code-(.+)code\.zip diff --git a/t/tests/watch-file-general/debian/debian/watch b/t/tests/watch-file-general/debian/debian/watch index a96531e..956fef9 100644 --- a/t/tests/watch-file-general/debian/debian/watch +++ b/t/tests/watch-file-general/debian/debian/watch @@ -18,9 +18,12 @@ http://sourceforge.net/projects/synce/files http://downloads.sourceforge.net/.+/ version=42 # Specifies the same version number as the package. -http://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate +https://example.com/ foo([\d.]+)\.tar\.gz 2.0.ds1-1 uupdate # Deprecated githubredir http://githubredir.debian.net/github/username/project /(.*).tar.gz # without any pgpsigurlmangle + +http://insecure.com /(.*).tar.gz +https://secure.com /(.*).tar.gz diff --git a/t/tests/watch-file-general/desc b/t/tests/watch-file-general/desc index 3dc5359..100079e 100644 --- a/t/tests/watch-file-general/desc +++ b/t/tests/watch-file-general/desc @@ -14,4 +14,5 @@ Test-For: debian-watch-file-uses-deprecated-sf-redirector-method debian-watch-file-uses-deprecated-githubredir debian-watch-may-check-gpg-signature + debian-watch-uses-insecure-uri References: Debian Bug#510398 diff --git a/t/tests/watch-file-general/tags b/t/tests/watch-file-general/tags index 675508a..98b529f 100644 --- a/t/tests/watch-file-general/tags +++ b/t/tests/watch-file-general/tags @@ -1,5 +1,6 @@ E: watch-file-general source: debian-watch-file-uses-deprecated-githubredir line 24 I: watch-file-general source: debian-watch-file-should-dversionmangle-not-uversionmangle line 5 +I: watch-file-general source: debian-watch-uses-insecure-uri line 28 P: watch-file-general source: debian-watch-may-check-gpg-signature W: watch-file-general source: debian-watch-file-declares-multiple-versions line 18 W: watch-file-general source: debian-watch-file-declares-multiple-versions line 7 @@ -7,6 +8,8 @@ W: watch-file-general source: debian-watch-file-should-mangle-version line 12 W: watch-file-general source: debian-watch-file-should-mangle-version line 14 W: watch-file-general source: debian-watch-file-should-mangle-version line 15 W: watch-file-general source: debian-watch-file-should-mangle-version line 24 +W: watch-file-general source: debian-watch-file-should-mangle-version line 28 +W: watch-file-general source: debian-watch-file-should-mangle-version line 29 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 12 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 14 W: watch-file-general source: debian-watch-file-should-use-sf-redirector line 15 diff --git a/t/tests/watch-file-native/debian/debian/watch b/t/tests/watch-file-native/debian/debian/watch index fe12dbc..23b829d 100644 --- a/t/tests/watch-file-native/debian/debian/watch +++ b/t/tests/watch-file-native/debian/debian/watch @@ -1,5 +1,5 @@ # watch file with upstream version mangling version=3 -http://somewhere.debian.org/foo/foo_bar(.+)\.tar\.gz 5 uupdate +https://somewhere.debian.org/foo/foo_bar(.+)\.tar\.gz 5 uupdate diff --git a/t/tests/watch-file-old-upstream-version/debian/debian/watch b/t/tests/watch-file-old-upstream-version/debian/debian/watch index 7e052d6..ebaecbd 100644 --- a/t/tests/watch-file-old-upstream-version/debian/debian/watch +++ b/t/tests/watch-file-old-upstream-version/debian/debian/watch @@ -1,3 +1,3 @@ version=3 -http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 1.0 uupdate +https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 1.0 uupdate diff --git a/t/tests/watch-file-prerelease/debian/debian/watch b/t/tests/watch-file-prerelease/debian/debian/watch index 26df203..8038deb 100644 --- a/t/tests/watch-file-prerelease/debian/debian/watch +++ b/t/tests/watch-file-prerelease/debian/debian/watch @@ -1,3 +1,3 @@ version=3 opts=dversionmangle=s/~rc/-rc/ \ - http://www.example.com/software/foo/ .*/foo-([^-]+)\.tar\.gz + https://www.example.com/software/foo/ .*/foo-([^-]+)\.tar\.gz diff --git a/t/tests/watch-file-pubkey-missing/desc b/t/tests/watch-file-pubkey-missing/desc index 4d162a6..41d6c6e 100644 --- a/t/tests/watch-file-pubkey-missing/desc +++ b/t/tests/watch-file-pubkey-missing/desc @@ -2,4 +2,6 @@ Testname: watch-file-pubkey-missing Type: non-native Version: 1+dfsg-1 Description: Watch file if verify signature should check d/upstream/signing-key.{pgp,asc} -Test-For: debian-watch-file-pubkey-file-is-missing +Test-For: + debian-watch-file-pubkey-file-is-missing + debian-watch-uses-insecure-uri diff --git a/t/tests/watch-file-pubkey-missing/tags b/t/tests/watch-file-pubkey-missing/tags index c3b1f0d..58ec471 100644 --- a/t/tests/watch-file-pubkey-missing/tags +++ b/t/tests/watch-file-pubkey-missing/tags @@ -1 +1,2 @@ E: watch-file-pubkey-missing source: debian-watch-file-pubkey-file-is-missing +I: watch-file-pubkey-missing source: debian-watch-uses-insecure-uri line 3 diff --git a/t/tests/watch-file-should-mangle/debian/debian/watch b/t/tests/watch-file-should-mangle/debian/debian/watch index 0032647..6cc9db4 100644 --- a/t/tests/watch-file-should-mangle/debian/debian/watch +++ b/t/tests/watch-file-should-mangle/debian/debian/watch @@ -2,10 +2,10 @@ # package version number. version=2 -http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz debian uupdate +https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz debian uupdate # version mangling is not needed in this case: -http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 0.24 uupdate +https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz 0.24 uupdate # version mangling *is* needed in this case: -http://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz +https://www.example.com/dist/ dh7-test\.([\d.]+)\.tar\.gz diff --git a/t/tests/watch-file-template/desc b/t/tests/watch-file-template/desc index 0b56374..93c5332 100644 --- a/t/tests/watch-file-template/desc +++ b/t/tests/watch-file-template/desc @@ -2,4 +2,6 @@ Testname: watch-file-template Type: non-native Version: 1.0-1 Description: Test for dh_make(1) templates -Test-For: debian-watch-contains-dh_make-template +Test-For: + debian-watch-contains-dh_make-template + debian-watch-uses-insecure-uri diff --git a/t/tests/watch-file-template/tags b/t/tests/watch-file-template/tags index f6885fd..4b43de1 100644 --- a/t/tests/watch-file-template/tags +++ b/t/tests/watch-file-template/tags @@ -1 +1,2 @@ I: watch-file-template source: debian-watch-contains-dh_make-template +I: watch-file-template source: debian-watch-uses-insecure-uri line 3 -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
