[pkg-php-pear] Comments about php-timer (was: Please review: phpunit 2.7.28-1 and depend)
Mathieu Parent
math.parent at gmail.com
Wed Feb 5 10:59:58 UTC 2014
2014-02-04 21:30 GMT+01:00 "David Prévot" <david at tilapin.org>:
> Hi Prach,
>
>>> Le 20/01/2014 12:10, Prach Pongpanich a écrit :
>
>>>> Could you please sponsor them?
>
>>>> [3] http://anonscm.debian.org/gitweb/?p=pkg-php/php-timer.git
>
> Please add a pristine-tar branch (and this ../build-area/ is really a PITA).
> Please fix the Vcs- fields to their canonical path (it’s even spotted by
> “cme check dpkg” now).
> Removing README.md may be overkill (it provides an Usage section).
>
> Please let me know if you prefer to fix those via a later upload, and I’ll
> upload the package in its current status (if you have time to fixes any of
> those right now, even better ;).
>
> Is there an existing workflow that would allow us to check the package.sig
> (à la pgpsigurlmangle)?
The problem is that package.sig only signs package.xml file. This is
secure only if:
- package.xml is verified against package.sig, AND
- package.xml has sha1sum, AND
- sha1sums are checked
point 2 is always false because pkg-php-tools removes sums during
install to allow patching (which means that point 3 is false also).
No idea how to fix this without breaking patching.
Regards
--
Mathieu
More information about the pkg-php-pear
mailing list