Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs

To: Andreas Tille <tille@debian.org>
Cc: 897082@bugs.debian.org
Subject: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
From: Chris Lamb <lamby@debian.org>
Date: Sat, 28 Apr 2018 10:41:03 +0100
Message-id: <[🔎] 1524908463.2649518.1353754888.0B7D8297@webmail.messagingengine.com>
Reply-to: Chris Lamb <lamby@debian.org>, 897082@bugs.debian.org
In-reply-to: <[🔎] 20180428091619.qc6pi4zjgytxpiv3@an3as.eu>
References: <[🔎] 152489458355.23052.8227212015942023876.reportbug@mail.an3as.eu> <[🔎] 1524900700.402276.1353696712.2DC6542D@webmail.messagingengine.com> <[🔎] 20180428091619.qc6pi4zjgytxpiv3@an3as.eu> <[🔎] 152489458355.23052.8227212015942023876.reportbug@mail.an3as.eu>

Hi Andreas,

> May be the lintian warning should be more explicit and say:
> 
>   d/watch is pointing to an ftp download location.  Downloading
>   from ftp sites is considered insecure when not using ftp over
>   TLS.

Alas, without introducing a separate tag for ftp:// watch files, we
cannot conditionally output parts of a description.

The tag currently says:

 The watch file uses an unencrypted transport protocol for the
 URI. It is recommended to use a secure transport such as HTTPS for
 anonymous read-only access.

... which does seem to cover the ftp:// case. Perhaps you were
thinking of something like:

 The watch file uses an unencrypted transport protocol for the
 URI such as http:// or ftp://. It is recommended to use a secure
 transport such as HTTPS for anonymous read-only access.

.. but this doesn't really seem to change or improve clarity that
much, so I don't think I am 100% understanding the problem here or
am misinterpreting the original bug title - ftp:// URIs are
insecure.


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
  - From: Andreas Tille <tille@debian.org>
- Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
  - From: Chris Lamb <lamby@debian.org>
- Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
  - From: Andreas Tille <tille@debian.org>

Prev by Date: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
Next by Date: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
Previous by thread: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
Next by thread: Bug#897082: lintian: Please do not warn about debian-watch-uses-insecure-uri for ftp:// URIs
Index(es):
- Date
- Thread