[pkg-php-pear] composer and debian
math.parent at gmail.com
Thu Jun 27 16:22:40 UTC 2013
2013/6/27 David Prévot <taffit at debian.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Le 27/06/2013 06:17, Mathieu Parent a écrit :
>> 2013/6/27 David Prévot <taffit at debian.org>:
>>>>> - the tests should probably be installed
>>>> you're right - there's no reason why they shouldn't be there
>>> Actually, I disagree here: tests may not be “secured”, and mostly aimed
>>> to be used to verify the program (e.g. at build time) in “extreme”
>>> conditions. Keeping tests in the executable path often opens a security
>>> issue. So I would rather encourage you to not ship them unless a real
>>> security audit has been performed on this code.
>> If tests are a security risk, the code itself probably is.
> Maybe, but we’ve already witnessed real life practical issues with tests
> in PHP code, e.g.:
Oh! Unfortunately, I haven't found how it can be exploited.
>> Using test at runtime ensure everything is correct
>> See also : http://dep.debian.net/deps/dep8/
> Not sure these two statements are related. DEP-8 looks an empty
> placeholder that doesn’t suggest real runtime execution (“run
> "as-installed" tests”, “context as close as possible to a Debian
> system”) that links to autopkgtest’s current specification (have a look
> at the Tests-Directory definition):
You are right. The tests are run from the source package.
I still prefer to have a package to test, rather than the source
package (then, packaging it as a secondary package?).
More information about the pkg-php-pear