[pkg-php-pear] What’s next? (was: src:symfony status)

Wed Oct 15 22:53:40 UTC 2014

Hi David,

On Wed, 2014-10-15 at 16:23 -0400, David Prévot wrote:
> Hi,
> 
> Le 15/10/2014 07:45, Daniel Beyer a écrit :
> 
> > I once again rebuild it and run DEP-8 test and all seems to be fine.
> > Thus it would be great if you could upload 2.3.20+dfsg-1 later on.
> 
> It should be in incoming now. In case nothing too wrong happens, we
> should “just“ have to stay alert in order to react quickly to security
> fixes (the only thing that makes me nervous with this big package ;).
> 

SensioLabs might be willing to inform us about security issues in
advance to their publicly announcement, so we can prepare an update of
src:symfony. Since the pkg-php-pear list is public, would security at d.o
the right address to ask them to send such information to? 

BTW: The security-tracker.d.o falsely lists src:symfony is vulnerable to
two CVEs. Those 2011-* are long closed in the 2.3 series and the Debian
package clearly is not affected.
From what I found out, the file data/CVE/list in
svn://anonscm.debian.org/svn/secure-testing needs to be updated for that
false alert to disappear. But it's too late in the evening (well night)
here to dig further who can do that and how exactly it has to be
changed. Can you assist here (e.g. by pointing me in the right direction
or taking care about it yourself)?

> Daniel, IIRC, your initial interest was about Silex, so I guess you’ll
> soon (re)dive into it, but do not hesitate to document the missing
> (build-)dependency for Symfony 2.5 (or Silex) when you’ll look into it,
> I’d be happy to prepare some of them if you wish. (We may upload the
> latest Symfony version into experimental as soon as it’s ready ;-).
> 

I'm currently taking care of twig (new upstream release + at least DEP-8
tests). After that I planned to continue with Silex. For Silex we have
all the dependencies (including require-dev) packaged, except current
Silex needs Symfony >=2.4. Thus it's reasonable to get Symfony 2.5 into
experimental, first.

For Symfony 2.5 we need:
doctrine/doctrine-bundle
egulias/email-validator

But I think I'll update the wiki page tomorrow, since on a first quick
look, both of them in turn have dependencies not yet found in Debian.

> On my side, I’ll follow your lead and will look into packaging
> ZendFramework 2 as a big source with multiple binaries (I guess I’ll
> start during the freeze once there won’t be much more I can do for the
> release), and will also upload it to experimental once ready.
> 

I rarely get in touch with ZendFramework, but I think the Debian
packaging might be similar to the one done for Symfony. Thus both
packages could have potential to benefit from each other. If you need
help/feedback/input/review/whatever working on it just drop a mail
whenever you want.

Greetings
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20141016/3ea825f3/attachment.sig>