[pkg-php-pear] (Not) shipping tests in binary packages (was: Bug#714173: ITP: php-symfony-process -- Symfony PHP Framework - Process component)
David Prévot
taffit at debian.org
Tue Jul 2 21:08:15 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
Le 02/07/2013 15:47, Mathieu Parent a écrit :
> 2013/7/2 David Prévot <taffit at debian.org>:
> I still consider having tests as part of packaging a good practice,
> but it should be done in a different path and this path should not be
> available from the web server (i.e, not in a Apache <DIrectory>).
Even then, there is still a risk of a misconfigured web server (that can
also happen to be a default value).
http://www.debian.org/security/2012/dsa-2452
>> (There is more than one of such example in the wild).
>
> Do you have some pointers?
Not right now, sorry, but I doubt many other packages (I mean, in other
programming languages) usually ship tests: they’re a nice feature if
they can be used at build time, but if someones wants to run them
afterwards, they’re just an “apt-get source” away. Introducing (or even
keeping) potential risk vectors that are not mandatory at runtime
doesn’t seems like a good idea at all: they end up in production servers…
Regards
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJR00E/AAoJEAWMHPlE9r08PVUH/Rk54TRoljvKNYHIhHXQSgmC
/xGjkeEwQy19bkow+D8Y5on0e5Xnqw6sxU9Uu1YqHJ5xGubPm/46UsJz0D8/YXZO
D0upF03+83tEi9r+D4fA22TLKdsDB2T7rNA9CzyS/hPKfKbxOKWDpIg99s87J5oz
Z54SkLi2+pfi8s0euJa4K81sVrel5T35uNW4SFU4tuKkAXM+WOcy07uweZsJlMqX
7rYXhF3/3oxgnXxIXSKNAtXe3tJTALzWJBuLdktAkpg41r7zGZU9PJxPt67+Q7Gm
3nVDMLwMcvfTMh6+0QW93DI6R8/AIlk/3+D7Pf4h/CH5gWlCDQD2lS/thqrxTQQ=
=qzIm
-----END PGP SIGNATURE-----
More information about the pkg-php-pear
mailing list