Bug#951008: marked as done (gem2deb: dh-make-ruby generates insecure URLs)

Mon, 10 Feb 2020 11:49:00 -0800 

Your message dated Mon, 10 Feb 2020 20:19:15 +0100
with message-id <[email protected]>
and subject line Re: Bug#951008: gem2deb: dh-make-ruby generates insecure URLs
has caused the Debian Bug report #951008,
regarding gem2deb: dh-make-ruby generates insecure URLs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
951008: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951008
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: gem2deb
Version: 1.0.4
Severity: important


Quack,
When updating a package with the recently updated "new-upstream" script it calls dh-make-ruby. This results in the Homepage URL in debian/control to switch to insecure, and the newly generated debian/upstream/metadata file to contains insecure URLs.
Calling the script without --offline does not change anything (it might have tested available URLs).
Anyway, I think nowadays insecure URLs are exceptions and our tools must default to using HTTPS (and the maintainer can override if there is no other way to reach upstream's website). 

Regards.
\_o<

--
Marc Dequènes

--- End Message ---
--- Begin Message --- 
On Mon, Feb 10, 2020 at 03:36:25AM +0900, Marc Dequènes wrote:
> Package: gem2deb
> Version: 1.0.4
> Severity: important
> 
> 
> Quack,
> 
> When updating a package with the recently updated "new-upstream" script it
> calls dh-make-ruby. This results in the Homepage URL in debian/control to
> switch to insecure, and the newly generated debian/upstream/metadata file to
> contains insecure URLs.
> 
> Calling the script without --offline does not change anything (it might have
> tested available URLs).
> 
> Anyway, I think nowadays insecure URLs are exceptions and our tools must
> default to using HTTPS (and the maintainer can override if there is no other
> way to reach upstream's website).

All of those URL's come from the upstream metadata. gem2deb cannot
sanely convert http to https blindly, so that needs to be fixed
upstream.

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to