Package: lintian
Version: 2.116.3
Severity: wishlist

I noticed that a few packages use ssh:// URLs for the Repository field
in the upstream metadata file. These are suboptimal since the user
might not have an account or might not be the person in the URL when a
username is hardcoded. The vcs-field-uses-not-recommended-uri-format
tag covers this problem for the Debian Vcs-* fields, but lintian does
not appear to check the upstream Repository/Repository-Browse fields.

https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*ssh%3A&literal=0

In addition there are some packages with insecure URLs to git repos and
the vcs-field-uses-insecure-uri tag does not flag those packages yet.

https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*git%3A&literal=0

I think it would be a good idea to extend all of the Vcs-* field checks
to also check the upstream Repository/Repository-Browse fields too.

https://wiki.debian.org/UpstreamMetadata

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to