Processed: Re: lintian: Please clarify what to do with debian-watch-uses-insecure-uri for ftp:// URIs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 897082 + pending
Bug #897082 [lintian] lintian: Please clarify what to do with 
debian-watch-uses-insecure-uri for ftp:// URIs
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897082: lintian: Please clarify what to do with debian-watch-uses-insecure-uri for ftp:// URIs

[Chris Lamb]

tags 897082 + pending
thanks

Okay, I've just committed this:

  
https://salsa.debian.org/lintian/lintian/commit/2e33a49673ff20c01254fd9a892a028bf72fd931

  checks/watch-file.desc | 7 +--
  debian/changelog   | 4 
  2 files changed, 9 insertions(+), 2 deletions(-)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Processed: Re: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 897082 lintian: Please clarify what to do with 
> debian-watch-uses-insecure-uri for ftp:// URIs
Bug #897082 [lintian] lintian: Please do not warn about 
debian-watch-uses-insecure-uri for ftp:// URIs
Changed Bug title to 'lintian: Please clarify what to do with 
debian-watch-uses-insecure-uri for ftp:// URIs' from 'lintian: Please do not 
warn about debian-watch-uses-insecure-uri for ftp:// URIs'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Chris Lamb]

retitle 897082 lintian: Please clarify what to do with 
debian-watch-uses-insecure-uri for ftp:// URIs
thanks

Dear Andreas,

> I agree my bug title was not very sensibly choosen.

No problem at all. I just wanted to ensure I understood where you
were coming from.

> Feel free to close the bug if you think it should remain as it is.

IMHO people file bugs for a reason, either because there is a
genuine bug or there was a perception of one — ie. the
documentation or output is misleading.

Will update the description with some advice for ftp:// shortly…


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897080: Please detect long descriptions starting with lowercase to catch short descriptions continuing into long

[Josh Triplett]

On Sat, Apr 28, 2018 at 09:09:45AM +0100, Chris Lamb wrote:
> Hi Josh,
> 
> > Ah, I see; lintian doesn't display "minor/possible" by default, so when
> > I tested it on this description it didn't say anything:
> > 
> > ~$ apt show postgresql-10-wal2json
> 
> […]
> 
> Indeed, you need to pass -i/--info to display "I:" tags.
[...]
> Closing bug accordingly. Thank you for the report! :-)

Given that these kinds of issues crop up regularly in new packages, I
can't help but wonder if we could somehow make it easier for people to
notice this class of issues. People often know to run lintian on their
packages before uploading, or use tools that do so for them, but not
nearly as many use --info.

With some heuristics to reduce false positives, could we promote this to
a visible-by-default level? Or alternatively, should we adjust some of
our tooling to help expose lintian --info warnings by default? (Perhaps,
for instance, lintian could suppress them but include a single note
saying "additional warnings available via --info" if any exist?)

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Russ Allbery]

Niels Thykier  writes:
> Chris Lamb:
>> Hi Andreas,
>> 
>>> [...]
>> ... which does seem to cover the ftp:// case. Perhaps you were
>> thinking of something like:
>> 
>>  The watch file uses an unencrypted transport protocol for the
>>  URI such as http:// or ftp://. It is recommended to use a secure
>>  transport such as HTTPS for anonymous read-only access.

> Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
> access." would help cover the FTP-case?

I suspect the number of free software distribution sites that currently
use FTP but would support FTP + TLS is at most a rounding error away from
zero.

-- 
Russ Allbery (r...@debian.org)   

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Andreas Tille]

Hi Chris,

On Sat, Apr 28, 2018 at 10:52:56AM +0100, Chris Lamb wrote:
> 
> Indeed, but just to clarify my own confusion, given this bug is
> titled "please do not warn about debian-watch-uses-insecure-uri for
> ftp:// URIs" I am unsure how a relatively-minor wording change,
> even if helpful, etc., would help address that

I agree my bug title was not very sensibly choosen.

I simply wanted to express that I have no idea what to do *personally*
(besides trying to contact the authors) in cases where ftp is used.
This is in contrast to lots of other watch files I was able to change to
https and thus I felt bothered by a not so helpful lintian warning from
my personal point of view would belong in a different category.

Feel free to close the bug if you think it should remain as it is.

Kind regards

Andreas.

-- 
http://fam-tille.de

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Chris Lamb]

Niels,

> Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
> access." would help cover the FTP-case?

Indeed, but just to clarify my own confusion, given this bug is
titled "please do not warn about debian-watch-uses-insecure-uri for
ftp:// URIs" I am unsure how a relatively-minor wording change,
even if helpful, etc., would help address that


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Niels Thykier]

Chris Lamb:
> Hi Andreas,
> 
>> [...]
> ... which does seem to cover the ftp:// case. Perhaps you were
> thinking of something like:
> 
>  The watch file uses an unencrypted transport protocol for the
>  URI such as http:// or ftp://. It is recommended to use a secure
>  transport such as HTTPS for anonymous read-only access.
> 

Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
access." would help cover the FTP-case?

Thanks,
~Niels

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Chris Lamb]

Hi Andreas,

> May be the lintian warning should be more explicit and say:
> 
>   d/watch is pointing to an ftp download location.  Downloading
>   from ftp sites is considered insecure when not using ftp over
>   TLS.

Alas, without introducing a separate tag for ftp:// watch files, we
cannot conditionally output parts of a description.

The tag currently says:

 The watch file uses an unencrypted transport protocol for the
 URI. It is recommended to use a secure transport such as HTTPS for
 anonymous read-only access.

... which does seem to cover the ftp:// case. Perhaps you were
thinking of something like:

 The watch file uses an unencrypted transport protocol for the
 URI such as http:// or ftp://. It is recommended to use a secure
 transport such as HTTPS for anonymous read-only access.

.. but this doesn't really seem to change or improve clarity that
much, so I don't think I am 100% understanding the problem here or
am misinterpreting the original bug title - ftp:// URIs are
insecure.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Andreas Tille]

Hi Chris,

On Sat, Apr 28, 2018 at 08:31:40AM +0100, Chris Lamb wrote:
> > I: seaview source: debian-watch-uses-insecure-uri 
> > ftp://pbil.univ-lyon1.fr/pub/ […]
> > 
> > Since there is no anonymous secure ftp this info is not very helpful
> > IMHO.
> 
> Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
> I'm missing something here?

This answer is targeting in the same direction as Paul's response.

My understanding of the lintian issue was to make maintainers verify
whether their watch files will work with https instead of http as well.
This way I fixed several watch files but if I realised that the watch
file does not work after a simple s/http:/https:/ (usually resulting in
an error 503) I reverted the change.

With this understanding I never had a reason to look into ftp: based
watch files.

I agree that if the intention is not to encourage the maintainer to
try a s/http:/https:/ but rather contact upstream the lintian warning
is fine but may be the text should be more explicit:

   Please contact upstream and point them to  how to
   change their download method.
 
> Fixing this issue would essentially involve marking "ftp://; as a
> secure protocol which is obviously not the case...

Definitely not.  May be the lintian warning should be more explicit
and say:

  d/watch is pointing to an ftp download location.  Downloading
  from ftp sites is considered insecure when not using ftp over
  TLS.

Kind regards

  Andreas. 

-- 
http://fam-tille.de

Bug#897080: Please detect long descriptions starting with lowercase to catch short descriptions continuing into long

[Josh Triplett]

On Sat, Apr 28, 2018 at 08:33:55AM +0100, Chris Lamb wrote:
> tags 897080 + moreinfo
> thanks
> 
> Hi Josh,
> 
> > Description: words words words. Words words
> >  words words words. Words words words.
> 
> But would this not already be caught by:
> 
> Tag: description-synopsis-might-not-be-phrased-properly
> Severity: minor
> Certainty: possible
> Info: The package synopsis (also known as the "short" description, ie. the
>  first line in the package's "Description:" field) either ends with a full
>  stop "." character or starts another sentence.
>  .
>  This is not necessary as the synopsis does not need to be a full
>  sentence.  It is recommended that a single descriptive phrase is used
>  instead.
>  .
>  Note also that the synopsis is not part of the rest of the "long"
>  Description: field.
> 
> If not, having a good corpus of "good" and "bad" examples would be the next
> step here :)

Ah, I see; lintian doesn't display "minor/possible" by default, so when
I tested it on this description it didn't say anything:

~$ apt show postgresql-10-wal2json
Package: postgresql-10-wal2json
Version: 1.0-1
Priority: optional
Section: database
Source: wal2json
Maintainer: Debian PostgreSQL Maintainers 

Installed-Size: 39.9 kB
Depends: postgresql-10, libc6 (>= 2.4)
Homepage: https://github.com/eulerto/wal2json
Download-Size: 11.6 kB
APT-Sources: https://deb.debian.org/debian unstable/main amd64 Packages
Description: wal2json is an output plugin for logical decoding. It means that
 the plugin have access to tuples produced by INSERT and UPDATE. Also,
 UPDATE/DELETE old row versions can be accessed depending on the configured
 replica identity. Changes can be consumed using the streaming protocol
 (logical replication slots) or by a special SQL API.

Bug#897080: marked as done (Please detect long descriptions starting with lowercase to catch short descriptions continuing into long)

[Debian Bug Tracking System]

Your message dated Sat, 28 Apr 2018 09:09:45 +0100
with message-id 
<1524902985.414034.1353715696.1f79a...@webmail.messagingengine.com>
and subject line Re: Bug#897080: Please detect long descriptions starting with 
lowercase to catch short descriptions continuing into long
has caused the Debian Bug report #897080,
regarding Please detect long descriptions starting with lowercase to catch 
short descriptions continuing into long
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897080: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897080
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.84
Severity: wishlist

I don't know how well this will work or if it will produce false
positives, but inspired by having just reported yet another bug about a
package whose short description contained the start of a sentence that
continued into the long description, I wonder if Lintian could try to
detect that somehow.

One possibility would be to check for a long description that starts
with a lowercase letter, other than the case where the long description
starts with the package name or a word from the package name. That
*might* still produce some false positives, though.

If that still produces too many false positives, perhaps it would work
to check for a short description that looks like a sentence followed by
more words, and *then* a lowercase word starting the description. For
instance:

Description: words words words. Words words
 words words words. Words words words.


Does that seem plausible?

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils  2.30-16
ii  bzip2 1.0.6-8.1
ii  diffstat  1.61-1+b1
ii  dpkg  1.19.0.5
ii  file  1:5.33-1
ii  gettext   0.19.8.1-6
ii  intltool-debian   0.35.0+20060710.4
ii  libapt-pkg-perl   0.1.34
ii  libarchive-zip-perl   1.60-1
ii  libclass-accessor-perl0.51-1
ii  libclone-perl 0.39-1
ii  libdpkg-perl  1.19.0.5
ii  libemail-valid-perl   1.202-1
ii  libfile-basedir-perl  0.07-1
ii  libipc-run-perl   0.99-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libparse-debianchangelog-perl 1.2.0-12
ii  libperl5.26 [libdigest-sha-perl]  5.26.2-2
ii  libtext-levenshtein-perl  0.13-1
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.73-1
ii  libxml-simple-perl2.25-1
ii  libyaml-libyaml-perl  0.69+repack-1
ii  man-db2.8.3-2
ii  patchutils0.3.4-2
ii  perl  5.26.2-2
ii  t1utils   1.41-2
ii  xz-utils  5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  dpkg-dev   1.19.0.5
ii  libhtml-parser-perl3.72-3+b2
ii  libtext-template-perl  1.52-1

-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Josh,

> Ah, I see; lintian doesn't display "minor/possible" by default, so when
> I tested it on this description it didn't say anything:
> 
> ~$ apt show postgresql-10-wal2json

[…]

Indeed, you need to pass -i/--info to display "I:" tags.

You can confirm
it works for postgresql-10-wal2json here:

  
https://lintian.debian.org/full/pkg-postgresql-pub...@lists.alioth.debian.org.html#wal2json_1.0-1

Closing bug accordingly. Thank you for the report! :-)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   ` End Message ---

Bug#897080: Please detect long descriptions starting with lowercase to catch short descriptions continuing into long

[Chris Lamb]

tags 897080 + moreinfo
thanks

Hi Josh,

> Description: words words words. Words words
>  words words words. Words words words.

But would this not already be caught by:

Tag: description-synopsis-might-not-be-phrased-properly
Severity: minor
Certainty: possible
Info: The package synopsis (also known as the "short" description, ie. the
 first line in the package's "Description:" field) either ends with a full
 stop "." character or starts another sentence.
 .
 This is not necessary as the synopsis does not need to be a full
 sentence.  It is recommended that a single descriptive phrase is used
 instead.
 .
 Note also that the synopsis is not part of the rest of the "long"
 Description: field.

If not, having a good corpus of "good" and "bad" examples would be the next
step here :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Chris Lamb]

tags 897082 + moreinfo
thanks

Andreas,

> I: seaview source: debian-watch-uses-insecure-uri 
> ftp://pbil.univ-lyon1.fr/pub/ […]
> 
> Since there is no anonymous secure ftp this info is not very helpful
> IMHO.

Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
I'm missing something here?

Fixing this issue would essentially involve marking "ftp://; as a
secure protocol which is obviously not the case...


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Processed: Re: Bug#897080: Please detect long descriptions starting with lowercase to catch short descriptions continuing into long

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 897080 + moreinfo
Bug #897080 [lintian] Please detect long descriptions starting with lowercase 
to catch short descriptions continuing into long
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897080: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897080
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 897082 + moreinfo
Bug #897082 [lintian] lintian: Please do not warn about 
debian-watch-uses-insecure-uri for ftp:// URIs
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

[Paul Wise]

On Sat, 28 Apr 2018 07:49:43 +0200 Andreas Tille wrote:

> I: seaview source: debian-watch-uses-insecure-uri 
> ftp://pbil.univ-lyon1.fr/pub/mol_phylogeny/seaview/archive/seaview_(.*)\.tar\.gz

lintian is correct here, ftp URLs are insecure.

> Since there is no anonymous secure ftp this info is not very helpful IMHO.

FTP over TLS exists:

https://en.wikipedia.org/wiki/FTPS

I assume you mean there is no secure version of the URL you're using in
debian/watch. In that case the appropriate action is to contact
upstream and ask them to supply a secure URL for the files. Until they
provide one, you should just ignore this warning. If they refuse to
provide one you could override the warning with a comment.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part