Processed: Re: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 897082 lintian: Please clarify what to do with 
> debian-watch-uses-insecure-uri for ftp:// URIs
Bug #897082 [lintian] lintian: Please do not warn about 
debian-watch-uses-insecure-uri for ftp:// URIs
Changed Bug title to 'lintian: Please clarify what to do with 
debian-watch-uses-insecure-uri for ftp:// URIs' from 'lintian: Please do not 
warn about debian-watch-uses-insecure-uri for ftp:// URIs'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Chris Lamb 
retitle 897082 lintian: Please clarify what to do with 
debian-watch-uses-insecure-uri for ftp:// URIs
thanks

Dear Andreas,

> I agree my bug title was not very sensibly choosen.

No problem at all. I just wanted to ensure I understood where you
were coming from.

> Feel free to close the bug if you think it should remain as it is.

IMHO people file bugs for a reason, either because there is a
genuine bug or there was a perception of one — ie. the
documentation or output is misleading.

Will update the description with some advice for ftp:// shortly…


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Russ Allbery 
Niels Thykier  writes:
> Chris Lamb:
>> Hi Andreas,
>> 
>>> [...]
>> ... which does seem to cover the ftp:// case. Perhaps you were
>> thinking of something like:
>> 
>>  The watch file uses an unencrypted transport protocol for the
>>  URI such as http:// or ftp://. It is recommended to use a secure
>>  transport such as HTTPS for anonymous read-only access.

> Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
> access." would help cover the FTP-case?

I suspect the number of free software distribution sites that currently
use FTP but would support FTP + TLS is at most a rounding error away from
zero.

-- 
Russ Allbery (r...@debian.org)

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Andreas Tille 
Hi Chris,

On Sat, Apr 28, 2018 at 10:52:56AM +0100, Chris Lamb wrote:
> 
> Indeed, but just to clarify my own confusion, given this bug is
> titled "please do not warn about debian-watch-uses-insecure-uri for
> ftp:// URIs" I am unsure how a relatively-minor wording change,
> even if helpful, etc., would help address that

I agree my bug title was not very sensibly choosen.

I simply wanted to express that I have no idea what to do *personally*
(besides trying to contact the authors) in cases where ftp is used.
This is in contrast to lots of other watch files I was able to change to
https and thus I felt bothered by a not so helpful lintian warning from
my personal point of view would belong in a different category.

Feel free to close the bug if you think it should remain as it is.

Kind regards

Andreas.

-- 
http://fam-tille.de

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Chris Lamb 
Niels,

> Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
> access." would help cover the FTP-case?

Indeed, but just to clarify my own confusion, given this bug is
titled "please do not warn about debian-watch-uses-insecure-uri for
ftp:// URIs" I am unsure how a relatively-minor wording change,
even if helpful, etc., would help address that


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Niels Thykier 
Chris Lamb:
> Hi Andreas,
> 
>> [...]
> ... which does seem to cover the ftp:// case. Perhaps you were
> thinking of something like:
> 
>  The watch file uses an unencrypted transport protocol for the
>  URI such as http:// or ftp://. It is recommended to use a secure
>  transport such as HTTPS for anonymous read-only access.
> 

Perhaps "... such as HTTPS or FTPS (FTP + TLS) for anonymous read-only
access." would help cover the FTP-case?

Thanks,
~Niels

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Chris Lamb 
Hi Andreas,

> May be the lintian warning should be more explicit and say:
> 
>   d/watch is pointing to an ftp download location.  Downloading
>   from ftp sites is considered insecure when not using ftp over
>   TLS.

Alas, without introducing a separate tag for ftp:// watch files, we
cannot conditionally output parts of a description.

The tag currently says:

 The watch file uses an unencrypted transport protocol for the
 URI. It is recommended to use a secure transport such as HTTPS for
 anonymous read-only access.

... which does seem to cover the ftp:// case. Perhaps you were
thinking of something like:

 The watch file uses an unencrypted transport protocol for the
 URI such as http:// or ftp://. It is recommended to use a secure
 transport such as HTTPS for anonymous read-only access.

.. but this doesn't really seem to change or improve clarity that
much, so I don't think I am 100% understanding the problem here or
am misinterpreting the original bug title - ftp:// URIs are
insecure.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Andreas Tille 
Hi Chris,

On Sat, Apr 28, 2018 at 08:31:40AM +0100, Chris Lamb wrote:
> > I: seaview source: debian-watch-uses-insecure-uri 
> > ftp://pbil.univ-lyon1.fr/pub/ […]
> > 
> > Since there is no anonymous secure ftp this info is not very helpful
> > IMHO.
> 
> Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
> I'm missing something here?

This answer is targeting in the same direction as Paul's response.

My understanding of the lintian issue was to make maintainers verify
whether their watch files will work with https instead of http as well.
This way I fixed several watch files but if I realised that the watch
file does not work after a simple s/http:/https:/ (usually resulting in
an error 503) I reverted the change.

With this understanding I never had a reason to look into ftp: based
watch files.

I agree that if the intention is not to encourage the maintainer to
try a s/http:/https:/ but rather contact upstream the lintian warning
is fine but may be the text should be more explicit:

   Please contact upstream and point them to  how to
   change their download method.
 
> Fixing this issue would essentially involve marking "ftp://; as a
> secure protocol which is obviously not the case...

Definitely not.  May be the lintian warning should be more explicit
and say:

  d/watch is pointing to an ftp download location.  Downloading
  from ftp sites is considered insecure when not using ftp over
  TLS.

Kind regards

  Andreas. 

-- 
http://fam-tille.de

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Chris Lamb 
tags 897082 + moreinfo
thanks

Andreas,

> I: seaview source: debian-watch-uses-insecure-uri 
> ftp://pbil.univ-lyon1.fr/pub/ […]
> 
> Since there is no anonymous secure ftp this info is not very helpful
> IMHO.

Lintian asking you to encourage upstream to move to HTTPS. Or perhaps
I'm missing something here?

Fixing this issue would essentially involve marking "ftp://; as a
secure protocol which is obviously not the case...


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Processed: Re: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tags 897082 + moreinfo
Bug #897082 [lintian] lintian: Please do not warn about 
debian-watch-uses-insecure-uri for ftp:// URIs
Added tag(s) moreinfo.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
897082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897082
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-28 Thread Paul Wise 
On Sat, 28 Apr 2018 07:49:43 +0200 Andreas Tille wrote:

> I: seaview source: debian-watch-uses-insecure-uri 
> ftp://pbil.univ-lyon1.fr/pub/mol_phylogeny/seaview/archive/seaview_(.*)\.tar\.gz

lintian is correct here, ftp URLs are insecure.

> Since there is no anonymous secure ftp this info is not very helpful IMHO.

FTP over TLS exists:

https://en.wikipedia.org/wiki/FTPS

I assume you mean there is no secure version of the URL you're using in
debian/watch. In that case the appropriate action is to contact
upstream and ask them to supply a secure URL for the files. Until they
provide one, you should just ignore this warning. If they refuse to
provide one you could override the warning with a comment.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

2018-04-27 Thread Andreas Tille 
Package: lintian
Severity: normal

Hi,

lintian is warning (rather "informing") about insecure URIs when ftp is
used.  For instance the package seaview gets:

I: seaview source: debian-watch-uses-insecure-uri 
ftp://pbil.univ-lyon1.fr/pub/mol_phylogeny/seaview/archive/seaview_(.*)\.tar\.gz

Since there is no anonymous secure ftp this info is not very helpful IMHO.

Kind regards and thanks for maintaining lintian

Andreas.


-- System Information:
Debian Release: 9.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils  2.28-5
ii  bzip2 1.0.6-8.1
pn  diffstat  
ii  dpkg  1.18.24
ii  file  1:5.30-1+deb9u1
pn  gettext   
pn  intltool-debian   
ii  libapt-pkg-perl   0.1.32
pn  libarchive-zip-perl   
pn  libclass-accessor-perl
pn  libclone-perl 
ii  libdpkg-perl  1.18.24
pn  libemail-valid-perl   
pn  libfile-basedir-perl  
pn  libipc-run-perl   
ii  liblist-moreutils-perl0.416-1+b1
pn  libparse-debianchangelog-perl 
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-3+deb9u3
pn  libtext-levenshtein-perl  
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.71-1
pn  libxml-simple-perl
pn  libyaml-libyaml-perl  
ii  man-db2.7.6.1-2
pn  patchutils
ii  perl  5.24.1-3+deb9u3
pn  t1utils   
ii  xz-utils  5.2.2-1.2+b1

Versions of packages lintian recommends:
ii  dpkg 1.18.24
pn  libperlio-gzip-perl  
ii  perl 5.24.1-3+deb9u3
ii  perl-modules-5.24 [libautodie-perl]  5.24.1-3+deb9u3

Versions of packages lintian suggests:
pn  binutils-multiarch 
pn  dpkg-dev   
ii  libhtml-parser-perl3.72-3
ii  libtext-template-perl  1.46-1