[pkg-php-pear] Comments about php-timer (was: Please review: phpunit 2.7.28-1 and depend)

Mathieu Parent math.parent at gmail.com
Wed Feb 5 10:59:58 UTC 2014

2014-02-04 21:30 GMT+01:00 "David Prévot" <david at tilapin.org>:
> Hi Prach,
>>> Le 20/01/2014 12:10, Prach Pongpanich a écrit :
>>>> Could you please sponsor them?
>>>> [3] http://anonscm.debian.org/gitweb/?p=pkg-php/php-timer.git
> Please add a pristine-tar branch (and this ../build-area/ is really a PITA).
> Please fix the Vcs- fields to their canonical path (it’s even spotted by
> “cme check dpkg” now).
> Removing README.md may be overkill (it provides an Usage section).
> Please let me know if you prefer to fix those via a later upload, and I’ll
> upload the package in its current status (if you have time to fixes any of
> those right now, even better ;).
> Is there an existing workflow that would allow us to check the package.sig
> (à la pgpsigurlmangle)?

The problem is that package.sig only signs package.xml file. This is
secure only if:
- package.xml is verified against package.sig, AND
- package.xml has sha1sum, AND
- sha1sums are checked

point 2 is always false because pkg-php-tools removes sums during
install to allow patching (which means that point 3 is false also).

No idea how to fix this without breaking patching.


More information about the pkg-php-pear mailing list