[Pkg-zsh-devel] Bug#1077869: Bug#1077869: zsh: please use secure URLs in debian/upstream/metadata
Axel Beckert
abe at debian.org
Mon Aug 5 16:15:00 BST 2024
Control: tag -1 + confirmed
Hi Simon,
Simon McVittie wrote:
> While looking for upstream fixes for zsh compatibility with gcc 14,
> I noticed that the source package uses git:// and http:// URLs in
> debian/upstream/metadata, which do not authenticate the identity of the
> remote server and so are vulnerable to man-in-the-middle attacks. Please
> replace them with their equivalent https:// URLs, for example by applying
> the attached patch.
Thanks. The last time I looked, IIRC neither HTTPS *.sourceforge.io
not git over HTTPS did work. But that was probably already more than a
year ago.
> -Changelog: http://zsh.sourceforge.net/releases.html
> +Changelog: https://zsh.sourceforge.io/releases.html
Works.
> -FAQ: http://zsh.sourceforge.net/FAQ/
> +FAQ: https://zsh.sourceforge.io/FAQ/
Works.
> -Homepage: http://zsh.sourceforge.net/
> +Homepage: https://zsh.sourceforge.io/
Works.
> -Repository: git://git.code.sf.net/p/zsh/code
> +Repository: https://git.code.sf.net/p/zsh/code
Odd. Works with "git clone", but not in a browser. Oh well.
> -Documentation: http://zsh.sourceforge.net/Doc/
> +Documentation: https://zsh.sourceforge.io/Doc/
Works.
So yes, we should apply this.
P.S.: Thanks also for the gcc-14 patch!
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the Pkg-zsh-devel
mailing list