[pkg-php-pear] Bug#932564: Should not use composer at runtime

David Prévot taffit at debian.org
Sat Jul 20 18:07:05 BST 2019

Package: movim
Version: 0.14.1-5
Severity: normal


I just noticed that the movim package depends on composer. Looking
further, it seems to use the ClassLoader feature of Composer.

I’m not sure this is a proper (nor optimal) way to load classes in a
production system, I’m not even confident that’s a secure way to do it.

I thus would like to advise the use of a tool like phpab in order to
generate an autoload at build time, and let movim use this static
autoload at run time. As an example, may I point you to the composer
package that uses this technique.

This bug is X-Debbugs-Cc to the <pkg-php-pear at lists.alioth.debian.org>
list, maybe it could be a good place to discuss the issue further if you
want to (I tried to keep this report short), and I’m also open to help
moving to a static autoload.php (by providing a patch to this report for

Maybe some movim dependencies are affected by a similar issue, I didn’t
open similar reports in those packages right now to avoid splitting the
discussion in various places. I’d like to advise hosting those
dependencies under the “Debian PHP PEAR (and Composer) Maintainers”
umbrella by the way.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190720/93221005/attachment.sig>

More information about the pkg-php-pear mailing list