[pkg-php-pear] What’s next?

David Prévot david at tilapin.org
Wed Oct 15 23:13:51 UTC 2014

Hi Daniel,

Le 15/10/2014 18:53, Daniel Beyer a écrit :
> On Wed, 2014-10-15 at 16:23 -0400, David Prévot wrote:

>> […] we
>> should “just“ have to stay alert in order to react quickly to security
>> fixes (the only thing that makes me nervous with this big package ;).

> SensioLabs might be willing to inform us about security issues in
> advance to their publicly announcement, so we can prepare an update of
> src:symfony.

That would be much appreciated.

> Since the pkg-php-pear list is public, would security at d.o
> the right address to ask them to send such information to?

Right, and us both. Well, especially us both, so we can prepare the
fixes and coordinate the upload with the security team (my GPG key is in
the WoT if encryption is to be used).

> BTW: The security-tracker.d.o falsely lists src:symfony is vulnerable to
> two CVEs. Those 2011-* are long closed in the 2.3 series and the Debian
> package clearly is not affected.

The security team is in charge, I just pinged them on IRC, feel free to
mail them in case it doesn’t get fixed.

> For Symfony 2.5 we need:
> doctrine/doctrine-bundle
> egulias/email-validator

Thanks for the pointers, I’ll try and start looking into them tomorrow
(I’ll have some spare time offline, so I need to prepare myself ;)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20141015/33d3c422/attachment.sig>

More information about the pkg-php-pear mailing list