[pkg-php-pear] (Not) shipping tests in binary packages
zigo at debian.org
Fri Jul 12 15:00:26 UTC 2013
On 07/11/2013 09:48 PM, Mathieu Parent wrote:
> Having tests installed by default adds value IMO. And I don't really
> see the risks unless when the test are directly accessible from the
> network (i.e in a vhost document root or alias or ...), which is the
> security hole to fix. Another risk is when the php app can do
> arbitraty includes (which is a BIG security risk - think of
> include('/etc/passwd');). Another thing is that PHP by default
> installs tests in "test_dir" (currently /usr/share/php/test in
> Debian). I'm OK to change this path, but I'm not sure of the gain.
> Mathieu Parent
If tests are accessible though /usr/share/php, then we might have a
problem in shared environment. If they are only in /usr/share/doc, then
it's ok. Tests are not supposed to be security safe.
Which is why I believe shipping them is fine (and best, to me), but they
should *NEVER* be in /usr/share/php.
More information about the pkg-php-pear