[pkg-php-pear] (Not) shipping tests in binary packages

Thomas Goirand zigo at debian.org
Fri Jul 12 15:00:26 UTC 2013

On 07/11/2013 09:48 PM, Mathieu Parent wrote:
> Having tests installed by default adds value IMO. And I don't really
> see the risks unless when the test are directly accessible from the
> network (i.e in a vhost document root or alias or ...), which is the
> security hole to fix. Another risk is when the php app can do
> arbitraty includes (which is a BIG security risk - think of
> include('/etc/passwd');). Another thing is that PHP by default
> installs tests in "test_dir" (currently /usr/share/php/test in
> Debian). I'm OK to change this path, but I'm not sure of the gain.
> Regards
> --
> Mathieu Parent

If tests are accessible though /usr/share/php, then we might have a
problem in shared environment. If they are only in /usr/share/doc, then
it's ok. Tests are not supposed to be security safe.

Which is why I believe shipping them is fine (and best, to me), but they
should *NEVER* be in /usr/share/php.


More information about the pkg-php-pear mailing list