Dear all, The IESG-designated expert has reviewed our application and returned the inline comments below.
I added my own comments below theirs. > > Optional parameters: > > revision - the revision number of the specification. > > The syntax of the revision number needs to be specified: digits, > digits.digits, digits.digits-digits, whatever. Given that the current revision number is 1.0, and that I do not think that we aim at updating the format frequently, I propose the following: Optional parameters: revision - the revision number of the specification (digits.digits). > > Security considerations: > > The machine-readable debian/copyright file format is declarative > > and does not cause commands to be executed. However, some programs > > that parse it may execute commands containing values of some fields. > > Therefore an attacker may exploit some security flaws in such programs. > > Parsers should therefore follow general practices to sanitise their > > input. > > You should also specify if there are any privacy/integrity > considerations here. I rather doubt that privacy is an issue for this > type, but there may be cases where integrity protection is desirable. I propose to add the following paragraphs. The comment or license fields may be used to quote discussions where redistribution terms have been clarified. There is no formal mechanism to signal that a proper permission has been given to quote the discussion if it was private. The machine-readable debian/copyright file format does not feature mechanisms to ensure the integrity of the file. Consider using secure transport when needed. I am not sure how the first paragraph is needed. What do you think ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
