[pkg-php-pear] composer and debian

Mathieu Parent math.parent at gmail.com
Thu Jun 27 16:22:40 UTC 2013

2013/6/27 David Prévot <taffit at debian.org>:
> Hash: SHA256
> Hi,
> Le 27/06/2013 06:17, Mathieu Parent a écrit :
>> 2013/6/27 David Prévot <taffit at debian.org>:
>> [...]
>>>>> - the tests should probably be installed
>>>> you're right - there's no reason why they shouldn't be there
>>> Actually, I disagree here: tests may not be “secured”, and mostly aimed
>>> to be used to verify the program (e.g. at build time) in “extreme”
>>> conditions. Keeping tests in the executable path often opens a security
>>> issue. So I would rather encourage you to not ship them unless a real
>>> security audit has been performed on this code.
>> If tests are a security risk, the code itself probably is.
> Maybe, but we’ve already witnessed real life practical issues with tests
> in PHP code, e.g.:
>         http://owncloud.org/about/security/advisories/oC-SA-2013-005/

Oh! Unfortunately, I haven't found how it can be exploited.

>> Using test at runtime ensure everything is correct
> […]
>> See also : http://dep.debian.net/deps/dep8/
> Not sure these two statements are related. DEP-8 looks an empty
> placeholder that doesn’t suggest real runtime execution (“run
> "as-installed" tests”, “context as close as possible to a Debian
> system”) that links to autopkgtest’s current specification (have a look
> at the Tests-Directory definition):
> http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD

You are right. The tests are run from the source package.

I still prefer to have a package to test, rather than the source
package (then, packaging it as a secondary package?).


More information about the pkg-php-pear mailing list