Package: devscripts
Version: 2.17.10
Severity: wishlist
The following watch file works fine:
version=4
opts="pgpsigurlmangle=s/$/.asc/" \
http://sf.net/gscan2pdf/gscan2pdf-(.+)\.tar\.xz debian uupdate
apart from lintian complaining:
I: gscan2pdf source: debian-watch-uses-insecure-uri line 3
N:
N:The watch file uses an unencrypted transport protocol for the URI.
It is
N:recommended to use a secure transport such as HTTPS for anonymous
N:read-only access.
Looking at the verbose output of uscan, it does seem to use https on the
redirected URL.
If I change http to https, then the watch file no longer works.
If I rewrite the watch file not to use the redirector, but to use https,
then it also works, but lintian complains that I should be using the
redirector.
When I contacted the maintainers of lintian, I was asked to file a bug against
uscan:
> Indeed; uscan special-cases the "http://sf.net/; URL and completely
> rewrites it. I think the best solution would be for uscan to also
> accept "https://sf.net/;
[...]
> Technically, we can special-case it in lintian to skip the warning here.
> But I prefer not giving mixed signals about whether a "http" url is
> secure or not. Among other because not all tools have the special magic
> for rewriting the URL to Debian's sourceforge redirector.
And indeed, I think this would be the cleanest solution.
I would be grateful if you could implement this.
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
DEBSIGN_KEYID=110FCAF3
-- System Information:
Debian Release: buster/sid
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.24
ii libc6 2.24-17
ii libfile-homedir-perl 1.002-1
ii perl 5.26.0-8
ii python3 3.6.3-1
Versions of packages devscripts recommends:
ii apt 1.5
ii at 3.1.20-3
ii curl7.56.1-1
ii dctrl-tools 2.24-2+b1
ii debian-keyring 2017.08.28
ii dput1.0.1
ii equivs 2.1.0
ii fakeroot1.22-1
ii file1:5.32-1
ii gnupg 2.2.1-4
ii gnupg2 2.2.1-4
ii libdistro-info-perl 0.17
ii libdpkg-perl1.18.24
ii libencode-locale-perl 1.05-1
ii libgit-wrapper-perl 0.047-1
ii liblist-compare-perl0.53-1
ii liblwp-protocol-https-perl 6.07-2
ii libsoap-lite-perl 1.22-1
ii liburi-perl 1.72-2
ii libwww-perl 6.27-1
ii licensecheck3.0.31-2
ii lintian 2.5.55
ii man-db 2.7.6.1-2
ii patch 2.7.5-1+b2
ii patchutils 0.3.4-2
ii python3-apt 1.4.0~beta3+b1
ii python3-debian 0.1.31
ii python3-magic 1:5.32-1
ii python3-requests2.18.1-1
ii python3-unidiff 0.5.4-1
ii python3-xdg 0.25-4
ii sensible-utils 0.0.10
ii strace 4.15-2
ii unzip 6.0-21
ii wdiff 1.2.2-2
ii wget1.19.1-4
ii xz-utils5.2.2-1.3
Versions of packages devscripts suggests:
pn adequate
ii autopkgtest 5.0.2
pn bls-standalone
ii bsd-mailx [mailx]8.1.2-0.20160123cvs-4
ii build-essential 12.4
pn check-all-the-things
pn cvs-buildpackage
pn devscripts-el
pn diffoscope
pn disorderfs
pn dose-extra
pn duck
pn faketime
pn gnuplot
ii gpgv 2.2.1-4
pn how-can-i-help
ii libauthen-sasl-perl 2.1600-1
ii libfile-desktopentry-perl0.22-1
pn libnet-smtps-perl
pn libterm-size-perl
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl
pn mozilla-devscripts
ii mutt 1.8.3+neomutt20170609-2+b1
ii openssh-client [ssh-client] 1:7.6p1-2
pn piuparts
ii quilt0.63-8.1
pn ratt
pn reprotest
pn svn-buildpackage
ii w3m 0.5.3-34
-- no debconf information
