Bug#865347: libdvd-pkg: use https for the download

[Hideki Yamane]

Hi,

 I've created patches for this https download issue, could you
 check and apply it, please? 


-- 
Regards,

 Hideki Yamane henrich @ debian.org/iijmio-mail.jp
>From c25290336b8999f7342f14f1e26376404b1875f9 Mon Sep 17 00:00:00 2001
From: Hideki Yamane 
Date: Sun, 28 Jan 2018 14:01:30 +0900
Subject: [PATCH 1/2] check with https

---
 debian/watch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/watch b/debian/watch
index eec941e..76cedb2 100644
--- a/debian/watch
+++ b/debian/watch
@@ -9,7 +9,7 @@ version=3
 opts=\
 downloadurlmangle=s/([\d.]+)\//$1\/libdvdcss-$1\.tar\.bz2/,\
 filenamemangle=s/\D*(\d+\.\d+\.\d+)\D*/libdvdcss-$1.tar.bz2/,\
- http://download.videolan.org/pub/libdvdcss/ (\d[\d.]+)/
+ https://download.videolan.org/pub/libdvdcss/ (\d[\d.]+)/
 
 # latest version
 #http://download.videolan.org/pub/libdvdcss/last/libdvdcss-([\d.]+)\.tar\.(?:xz|bz2|gz)
-- 
2.15.1

>From bdca82b5a8c9ab586de94053f2ae359f729d363d Mon Sep 17 00:00:00 2001
From: Hideki Yamane 
Date: Sun, 28 Jan 2018 14:03:10 +0900
Subject: [PATCH 2/2] fix #865347: use https for the download

---
 ...001-fix-865347-use-https-for-the-download.patch | 33 ++
 debian/patches/series  |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 debian/patches/0001-fix-865347-use-https-for-the-download.patch
 create mode 100644 debian/patches/series

diff --git a/debian/patches/0001-fix-865347-use-https-for-the-download.patch b/debian/patches/0001-fix-865347-use-https-for-the-download.patch
new file mode 100644
index 000..dc90491
--- /dev/null
+++ b/debian/patches/0001-fix-865347-use-https-for-the-download.patch
@@ -0,0 +1,33 @@
+From: Hideki Yamane 
+Date: Sun, 28 Jan 2018 14:02:26 +0900
+Subject: fix #865347: use https for the download
+
+---
+ libdvdcss/debian/rules | 2 +-
+ libdvdcss/debian/watch | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdvdcss/debian/rules b/libdvdcss/debian/rules
+index 81f5acc..1493de8 100755
+--- a/libdvdcss/debian/rules
 b/libdvdcss/debian/rules
+@@ -22,5 +22,5 @@ VER ?= $(shell dpkg-parsechangelog -l$(PKD)/changelog | perl -ne 'print $$1 if m
+ .PHONY: get-orig-source
+ get-orig-source:  $(info I: $(PKG)_$(VER))
+ 	/usr/bin/wget --tries=3 --timeout=40 --read-timeout=40 --continue -O libdvdcss_$(VER).orig.tar.bz2 \
+-  http://download.videolan.org/pub/libdvdcss/$(VER)/libdvdcss-$(VER).tar.bz2 \
++  https://download.videolan.org/pub/libdvdcss/$(VER)/libdvdcss-$(VER).tar.bz2 \
+ || /usr/bin/uscan --noconf --verbose --rename --destdir=$(CURDIR) --check-dirname-level=0 --force-download --download-current-version $(PKD)
+diff --git a/libdvdcss/debian/watch b/libdvdcss/debian/watch
+index 91d8609..8653940 100644
+--- a/libdvdcss/debian/watch
 b/libdvdcss/debian/watch
+@@ -4,7 +4,7 @@ version=3
+ opts=\
+ downloadurlmangle=s/([\d.]+)\//$1\/libdvdcss-$1\.tar\.bz2/,\
+ filenamemangle=s/\D*(\d+\.\d+\.\d+)\D*/libdvdcss-$1.tar.bz2/,\
+- http://download.videolan.org/pub/libdvdcss/ (\d[\d.]+)/
++ https://download.videolan.org/pub/libdvdcss/ (\d[\d.]+)/
+ 
+ # latest version
+ #http://download.videolan.org/pub/libdvdcss/last/libdvdcss-([\d.]+)\.tar\.(?:xz|bz2|gz)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..2797d13
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-fix-865347-use-https-for-the-download.patch
-- 
2.15.1

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#865347: libdvd-pkg: use https for the download

[Christoph Anton Mitterer]

Package: libdvd-pkg
Version: 1.4.0-1-2
Severity: wishlist


Hi.

The videolan servers support https, I suggest using this for the download.
While this doesn't help with security, it adds privacy for the download process.

Of course one needs to add some --ca-certificate= to wget, of course best would
be to only add the CA that videoland actually uses, currently USERTrust RSA 
Certification Authority.
And one would need to depend on ca-certificates.


You should perhaps also update the watchfile.

btw: In get-orig-source, why do you use uscan to download the current version 
if downloading fails with wget?
That should then anyway not be usable due to the missing SHA256sum file,... and 
it won't be deleted then either, so
the user may accidentally use that unverified code.

Cheers,
Chris.

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers