[pkg-php-pear] Bug#714173: ITP: php-symfony-process -- Symfony PHP Framework - Process component

Mathieu Parent math.parent at gmail.com
Tue Jul 2 19:47:53 UTC 2013


2013/7/2 David Prévot <taffit at debian.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> Le 02/07/2013 15:05, Thomas Goirand a écrit :
>> On 06/30/2013 09:13 AM, David Prévot wrote:
>>> Please, drop the tests from the binary package
>>
>> If you look at other PEAR package, that's not what we do.
>
> May I advise to reconsider what used to be done?
>
>> What is your
>> reasoning behind dropping the tests?
>
> <51CC4302.6090200 at debian.org>
> http://lists.alioth.debian.org/pipermail/pkg-php-pear/2013-June/001286.html

I still don't know how this owncloud cve can be exploited, but if
tests are accessible from the web then yes: it is a high security
risk.

Also, in the case of owncloud, it was not a testsuite, but a complete test tool!

I still consider having tests as part of packaging a good practice,
but it should be done in a different path and this path should not be
available from the web server (i.e, not in a Apache <DIrectory>).

> (There is more than one of such example in the wild).

Do you have some pointers?

Regards
--
Mathieu Parent



More information about the pkg-php-pear mailing list