Debian Bug report logs - #1039869
lintian: extend Vcs-* checks to upstream Repository/Repository-Browser URLs too

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Paul Wise <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: lintian: extend Vcs-* checks to upstream Repository/Repository-Browser URLs too

Date: Thu, 29 Jun 2023 12:14:34 +0800

[Message part 1 (text/plain, inline)]

Package: lintian
Version: 2.116.3
Severity: wishlist

I noticed that a few packages use ssh:// URLs for the Repository field
in the upstream metadata file. These are suboptimal since the user
might not have an account or might not be the person in the URL when a
username is hardcoded. The vcs-field-uses-not-recommended-uri-format
tag covers this problem for the Debian Vcs-* fields, but lintian does
not appear to check the upstream Repository/Repository-Browse fields.

https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*ssh%3A&literal=0

In addition there are some packages with insecure URLs to git repos and
the vcs-field-uses-insecure-uri tag does not flag those packages yet.

https://codesearch.debian.net/search?q=path%3A%2Fdebian%2Fupstream+Repository.*git%3A&literal=0

I think it would be a good idea to extend all of the Vcs-* field checks
to also check the upstream Repository/Repository-Browse fields too.

https://wiki.debian.org/UpstreamMetadata

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.