[pkg-php-pear] composer and debian
David Prévot
taffit at debian.org
Thu Jun 27 13:49:54 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
Le 27/06/2013 06:17, Mathieu Parent a écrit :
> 2013/6/27 David Prévot <taffit at debian.org>:
> [...]
>>
>>>> - the tests should probably be installed
>>>
>>> you're right - there's no reason why they shouldn't be there
>>
>> Actually, I disagree here: tests may not be “secured”, and mostly aimed
>> to be used to verify the program (e.g. at build time) in “extreme”
>> conditions. Keeping tests in the executable path often opens a security
>> issue. So I would rather encourage you to not ship them unless a real
>> security audit has been performed on this code.
>
> If tests are a security risk, the code itself probably is.
Maybe, but we’ve already witnessed real life practical issues with tests
in PHP code, e.g.:
http://owncloud.org/about/security/advisories/oC-SA-2013-005/
> Using test at runtime ensure everything is correct
[…]
> See also : http://dep.debian.net/deps/dep8/
Not sure these two statements are related. DEP-8 looks an empty
placeholder that doesn’t suggest real runtime execution (“run
"as-installed" tests”, “context as close as possible to a Debian
system”) that links to autopkgtest’s current specification (have a look
at the Tests-Directory definition):
http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD
Regards
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRzEMCAAoJEAWMHPlE9r08uocH+wSfdaLzwMy6gkEoUDp41ivI
XSogTq4QE911tzTBDa2maXi3wBKJmiMig/0PplUZx2wAHR9+vymYk6no8pJE75NP
dXngRU/2KbzVgpZdHA4OS6pSp/sr/EmXdHGkGH5ajO75CPXncFr9v7GVnz9W/sWl
i+UEHe3Y9OYHdomFkEjxlpDoQ4fxqm/kS/ZL4BAfypFrmRZ5mZr0ni+Omk9m8pcc
6v8a/6T6+ZOMpqNwc9XsxcdZ4I3+WtvHfZI72XmFKNhCDar0p8NgDtJLJIzbxMm9
sASiZ6UCEv20ODA7vTK1Nm3n9VyRWiXb6Z7L8csD7rinbhnDc3juDal9PnIG5Lg=
=Sznh
-----END PGP SIGNATURE-----
More information about the pkg-php-pear
mailing list