retitle 897082 lintian: Please clarify what to do with
debian-watch-uses-insecure-uri for ftp:// URIs
thanks
Dear Andreas,
> I agree my bug title was not very sensibly choosen.
No problem at all. I just wanted to ensure I understood where you
were coming from.
> Feel free to close the bug if
Niels Thykier writes:
> Chris Lamb:
>> Hi Andreas,
>>
>>> [...]
>> ... which does seem to cover the ftp:// case. Perhaps you were
>> thinking of something like:
>>
>> The watch file uses an unencrypted transport protocol for the
>> URI such as http:// or ftp://. It is
Hi Chris,
On Sat, Apr 28, 2018 at 10:52:56AM +0100, Chris Lamb wrote:
>
> Indeed, but just to clarify my own confusion, given this bug is
> titled "please do not warn about debian-watch-uses-insecure-uri for
> ftp:// URIs" I am unsure how a relatively-minor wording change,
> even if helpful,
Niels,
> Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
> access." would help cover the FTP-case?
Indeed, but just to clarify my own confusion, given this bug is
titled "please do not warn about debian-watch-uses-insecure-uri for
ftp:// URIs" I am unsure how a
Chris Lamb:
> Hi Andreas,
>
>> [...]
> ... which does seem to cover the ftp:// case. Perhaps you were
> thinking of something like:
>
> The watch file uses an unencrypted transport protocol for the
> URI such as http:// or ftp://. It is recommended to use a secure
> transport such as HTTPS
Hi Andreas,
> May be the lintian warning should be more explicit and say:
>
> d/watch is pointing to an ftp download location. Downloading
> from ftp sites is considered insecure when not using ftp over
> TLS.
Alas, without introducing a separate tag for ftp:// watch files, we
cannot
Hi Chris,
On Sat, Apr 28, 2018 at 08:31:40AM +0100, Chris Lamb wrote:
> > I: seaview source: debian-watch-uses-insecure-uri
> > ftp://pbil.univ-lyon1.fr/pub/ […]
> >
> > Since there is no anonymous secure ftp this info is not very helpful
> > IMHO.
>
> Lintian asking you to encourage upstream
tags 897082 + moreinfo
thanks
Andreas,
> I: seaview source: debian-watch-uses-insecure-uri
> ftp://pbil.univ-lyon1.fr/pub/ […]
>
> Since there is no anonymous secure ftp this info is not very helpful
> IMHO.
Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
I'm missing
On Sat, 28 Apr 2018 07:49:43 +0200 Andreas Tille wrote:
> I: seaview source: debian-watch-uses-insecure-uri
> ftp://pbil.univ-lyon1.fr/pub/mol_phylogeny/seaview/archive/seaview_(.*)\.tar\.gz
lintian is correct here, ftp URLs are insecure.
> Since there is no anonymous secure ftp this info is
Package: lintian
Severity: normal
Hi,
lintian is warning (rather "informing") about insecure URIs when ftp is
used. For instance the package seaview gets:
I: seaview source: debian-watch-uses-insecure-uri
ftp://pbil.univ-lyon1.fr/pub/mol_phylogeny/seaview/archive/seaview_(.*)\.tar\.gz
Since
10 matches
Mail list logo