[pkg-php-pear] composer and debian
Mathieu Parent
math.parent at gmail.com
Thu Jun 27 16:22:40 UTC 2013
2013/6/27 David Prévot <taffit at debian.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> Le 27/06/2013 06:17, Mathieu Parent a écrit :
>> 2013/6/27 David Prévot <taffit at debian.org>:
>> [...]
>>>
>>>>> - the tests should probably be installed
>>>>
>>>> you're right - there's no reason why they shouldn't be there
>>>
>>> Actually, I disagree here: tests may not be “secured”, and mostly aimed
>>> to be used to verify the program (e.g. at build time) in “extreme”
>>> conditions. Keeping tests in the executable path often opens a security
>>> issue. So I would rather encourage you to not ship them unless a real
>>> security audit has been performed on this code.
>>
>> If tests are a security risk, the code itself probably is.
>
> Maybe, but we’ve already witnessed real life practical issues with tests
> in PHP code, e.g.:
>
> http://owncloud.org/about/security/advisories/oC-SA-2013-005/
Oh! Unfortunately, I haven't found how it can be exploited.
>> Using test at runtime ensure everything is correct
> […]
>> See also : http://dep.debian.net/deps/dep8/
>
> Not sure these two statements are related. DEP-8 looks an empty
> placeholder that doesn’t suggest real runtime execution (“run
> "as-installed" tests”, “context as close as possible to a Debian
> system”) that links to autopkgtest’s current specification (have a look
> at the Tests-Directory definition):
>
> http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD
You are right. The tests are run from the source package.
I still prefer to have a package to test, rather than the source
package (then, packaging it as a secondary package?).
--
Mathieu
More information about the pkg-php-pear
mailing list