Control: tag -1 + confirmed Hi Simon,
Simon McVittie wrote: > While looking for upstream fixes for zsh compatibility with gcc 14, > I noticed that the source package uses git:// and http:// URLs in > debian/upstream/metadata, which do not authenticate the identity of the > remote server and so are vulnerable to man-in-the-middle attacks. Please > replace them with their equivalent https:// URLs, for example by applying > the attached patch. Thanks. The last time I looked, IIRC neither HTTPS *.sourceforge.io not git over HTTPS did work. But that was probably already more than a year ago. > -Changelog: http://zsh.sourceforge.net/releases.html > +Changelog: https://zsh.sourceforge.io/releases.html Works. > -FAQ: http://zsh.sourceforge.net/FAQ/ > +FAQ: https://zsh.sourceforge.io/FAQ/ Works. > -Homepage: http://zsh.sourceforge.net/ > +Homepage: https://zsh.sourceforge.io/ Works. > -Repository: git://git.code.sf.net/p/zsh/code > +Repository: https://git.code.sf.net/p/zsh/code Odd. Works with "git clone", but not in a browser. Oh well. > -Documentation: http://zsh.sourceforge.net/Doc/ > +Documentation: https://zsh.sourceforge.io/Doc/ Works. So yes, we should apply this. P.S.: Thanks also for the gcc-14 patch! Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
