Hi Chris, On Sat, Apr 28, 2018 at 08:31:40AM +0100, Chris Lamb wrote: > > I: seaview source: debian-watch-uses-insecure-uri > > ftp://pbil.univ-lyon1.fr/pub/ […] > > > > Since there is no anonymous secure ftp this info is not very helpful > > IMHO. > > Lintian asking you to encourage upstream to move to HTTPS. Or perhaps > I'm missing something here?
This answer is targeting in the same direction as Paul's response. My understanding of the lintian issue was to make maintainers verify whether their watch files will work with https instead of http as well. This way I fixed several watch files but if I realised that the watch file does not work after a simple s/http:/https:/ (usually resulting in an error 503) I reverted the change. With this understanding I never had a reason to look into ftp: based watch files. I agree that if the intention is not to encourage the maintainer to try a s/http:/https:/ but rather contact upstream the lintian warning is fine but may be the text should be more explicit: Please contact upstream and point them to <useful URL> how to change their download method. > Fixing this issue would essentially involve marking "ftp://"; as a > secure protocol which is obviously not the case... Definitely not. May be the lintian warning should be more explicit and say: d/watch is pointing to an ftp download location. Downloading from ftp sites is considered insecure when not using ftp over TLS. Kind regards Andreas. -- http://fam-tille.de
