[pkg-php-pear] (Not) shipping tests in binary packages
Thomas Goirand
zigo at debian.org
Tue Jul 9 16:15:07 UTC 2013
On 07/03/2013 05:08 AM, David Prévot wrote:
> Hi,
>
> Le 02/07/2013 15:47, Mathieu Parent a écrit :
>> 2013/7/2 David Prévot <taffit at debian.org>:
>
>> I still consider having tests as part of packaging a good practice,
>> but it should be done in a different path and this path should not be
>> available from the web server (i.e, not in a Apache <DIrectory>).
>
> Even then, there is still a risk of a misconfigured web server (that can
> also happen to be a default value).
>
> http://www.debian.org/security/2012/dsa-2452
Come on, that one is *not* an argument... :)
I do think that tests are very valuable for our users. They, by
definition, include good examples on how to use a lib.
> Introducing (or even
> keeping) potential risk vectors that are not mandatory at runtime
> doesn’t seems like a good idea at all: they end up in production servers…
IMO, they should just be shipped in /usr/share/doc, and that's it.
Probably that's a very good idea to fix pkg-php-tools to do that, and
probably to *not* do a symlink in /usr/share/php.
Thomas
More information about the pkg-php-pear
mailing list