Bug#786362: lintian: Maybe false negative of privacy-breach-generic
Package: lintian
Version: 2.5.31
I've got a package which now generates its documentation with the
recently packaged mkdocs.
With mkdocs' default theme, I get tons of privacy-breach-* warnings. (I
wonder if that's worth a bug report against mkdocs.)
Luckily if I switch to the included readthedocs theme, I only get one
(theme-related) privacy-breach-* warning for
<link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
But the generated documentation still has code which may validate a
privacy-breach-* warning, too:
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.3/modernizr.min.js"></script>
The interesting point and the reason why there's a "maybe" in the title
of this bug report is that the actual protocol is missing. This is a
common but widely unknown trick to avoid mixed http/https contents.
So IMHO this clearly is a privacy breach if such a documentation is read
via a webserver running on localhost (e.g. via the dwww package).
But if such documentation is only read via some file:///usr/share/doc/
URL, I doubt that these URLs without protocol will work as they are
bound to use the same protocol as the page they're on. Which is neither
http nor https in this case.
So depending on the way the documentation is read, it is a privacy
breach or not:
* If the way the documentation is read does not matter if something
counts as privacy breach, then lintian should warn about such kind of
external resources being included.
* If privacy breaches only matter for documentation directly read from
the disc without network interaction being expected, not even via
localhost, then feel free to close this bug report without a fix.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'buildd-unstable'), (400, 'stable'), (110, 'experimental'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages lintian depends on:
ii binutils 2.25-7
ii bzip2 1.0.6-8
ii diffstat 1.58-1
ii file 1:5.22+15-2
ii gettext 0.19.4-1
ii hardening-includes 2.7
ii intltool-debian 0.35.0+20060710.2
ii libapt-pkg-perl 0.1.29+b2
ii libarchive-zip-perl 1.39-1
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.37-1+b1
ii libdigest-sha-perl 5.95-2
ii libdpkg-perl 1.18.0
ii libemail-valid-perl 1.195-1
ii libfile-basedir-perl 0.03-1
ii libipc-run-perl 0.94-1
ii liblist-moreutils-perl 0.410-1
ii libparse-debianchangelog-perl 1.2.0-1.1
ii libtext-levenshtein-perl 0.12-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.64-1
ii man-db 2.7.0.2-5
ii patchutils 0.3.4-1
ii perl [libdigest-sha-perl] 5.20.2-6
ii t1utils 1.38-4
ii xz-utils 5.1.1alpha+20120614-2+b3
Versions of packages lintian recommends:
ii dpkg 1.18.0
ii libautodie-perl 2.25-1
ii libperlio-gzip-perl 0.18-3+b1
ii perl 5.20.2-6
ii perl-modules [libautodie-perl] 5.20.2-6
Versions of packages lintian suggests:
ii binutils-multiarch 2.25-7
ii dpkg-dev 1.18.0
ii libhtml-parser-perl 3.71-1+b3
ii libtext-template-perl 1.46-1
ii libyaml-perl 1.13-1
-- no debconf information
Reply to: