Package: duck Version: 0.9 Severity: normal Dear Maintainer,
http://repo.or.cz/ is one of the earliest if not the earliest free Git hoster. Some Debian packages refer to code hosted on that website. The website is also reachable at http://repo.or.cz/, hence duck argues about not using HTTPS: I: debian/control: Vcs-Browser: http://repo.or.cz/w/conkeror.git: INFORMATION (Certainty:certain) The web page at http://repo.or.cz/w/conkeror.git works, but is also available via https://repo.or.cz/w/conkeror.git, please consider switching to HTTPS urls. I: debian/copyright:4: URL: http://repo.or.cz/w/conkeror.git: INFORMATION (Certainty:possible) The web page at http://repo.or.cz/w/conkeror.git works, but is also available via https://repo.or.cz/w/conkeror.git, please consider switching to HTTPS urls. But it uses a self-signed SSL certificate for HTTPS and hence the suggested URLs causes a fat warning in every web browser and also in OpenSSL: $ echo QUIT | openssl s_client -connect repo.or.cz:443 | openssl x509 -in /dev/stdin -noout -text depth=1 serialNumber = 6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7, CN = girocco rorcz root certificate verify error:num=19:self signed certificate in certificate chain DONE Certificate: Data: Version: 3 (0x2) Serial Number: 36:27:b4:05:67:14:75:a2:bd:e1:e6:9f:61:ea:48:53:de:48:a6:e8 Signature Algorithm: sha256WithRSAEncryption Issuer: serialNumber=6a:ac:44:8f:07:1d:57:0a:1c:cf:12:a2:a7:8f:29:b9:c0:ed:cc:d7, CN=girocco rorcz root certificate Validity Not Before: Aug 11 00:00:00 1997 GMT Not After : Dec 31 23:59:59 9999 GMT Subject: CN=repo.or.cz […] IMHO, duck should only suggest to switch to HTTPS if the used SSL certificate can be verified by the SSL certificates shipped in the package ca-certificates. Probably for local runs of duck, only those certificates should be taken into account, which are verifiable by _enabled_ certificates from ca-certificates. It's probably debatable if sites with SSL certificates verifiable with the package ca-cacert installed or sites with a self-signed certificate verifiable via TLSA/DANE should cause such a warning or not. I tend to say no here, too. -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages duck depends on: ii devscripts 2.16.5 ii dpkg-dev 1.18.7 ii libconfig-inifiles-perl 2.89-1 ii libconfig-simple-perl 4.59-6 ii libdomain-publicsuffix-perl 0.10-1 ii libfile-which-perl 1.21-1 ii libmailtools-perl 2.13-1 ii libnet-dns-perl 1.05-2 ii libparse-debcontrol-perl 2.005-4 ii libpath-class-perl 0.36-1 ii libregexp-common-email-address-perl 1.01-4 ii libregexp-common-perl 2016060201-1 ii libstring-similarity-perl 1.04-1+b3 ii libwww-curl-perl 4.17-2+b1 ii libxml-xpath-perl 1.36-1 ii libyaml-libyaml-perl 0.41-6+b1 ii lynx 2.8.9dev9-1 ii perl 5.22.2-1 ii publicsuffix 20160525-1 duck recommends no packages. Versions of packages duck suggests: ii bzr 2.7.0-7 ii git 1:2.8.1-1 ii mercurial 3.8.3-1 ii subversion 1.9.4-1 -- no debconf information