[pkg-php-pear] Bug#714173: ITP: php-symfony-process -- Symfony PHP Framework - Process component
math.parent at gmail.com
Tue Jul 2 19:47:53 UTC 2013
2013/7/2 David Prévot <taffit at debian.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Le 02/07/2013 15:05, Thomas Goirand a écrit :
>> On 06/30/2013 09:13 AM, David Prévot wrote:
>>> Please, drop the tests from the binary package
>> If you look at other PEAR package, that's not what we do.
> May I advise to reconsider what used to be done?
>> What is your
>> reasoning behind dropping the tests?
> <51CC4302.6090200 at debian.org>
I still don't know how this owncloud cve can be exploited, but if
tests are accessible from the web then yes: it is a high security
Also, in the case of owncloud, it was not a testsuite, but a complete test tool!
I still consider having tests as part of packaging a good practice,
but it should be done in a different path and this path should not be
available from the web server (i.e, not in a Apache <DIrectory>).
> (There is more than one of such example in the wild).
Do you have some pointers?
More information about the pkg-php-pear