Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87340 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4612 invoked from network); 28 Jul 2015 14:45:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2015 14:45:32 -0000 Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:58178] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 64/50-01209-98597B55 for ; Tue, 28 Jul 2015 10:45:30 -0400 Received: by mail.experimentalworks.net (Postfix, from userid 1003) id 9EF0E42C92; Tue, 28 Jul 2015 16:45:27 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on km31408.keymachine.de X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-HAM-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from [192.168.2.34] (ppp-93-104-11-125.dynamic.mnet-online.de [93.104.11.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id 1DDF142C91; Tue, 28 Jul 2015 16:45:25 +0200 (CEST) Message-ID: <1438094723.27690.4.camel@kuechenschabe> To: Ferenc Kovacs Cc: PHP Internals , Stanislav Malyshev , julien pauli , Kalle Sommer Nielsen , Anatoliy Belsky , Hannes Magnusson Date: Tue, 28 Jul 2015 16:45:23 +0200 In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-1esEY2RN6i1SAJRLpuJA" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Subject: Re: [PHP-DEV] use https when downloading the pear installer From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) --=-1esEY2RN6i1SAJRLpuJA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2015-07-27 at 09:32 +0200, Ferenc Kovacs wrote: > Hi, >=20 > I've just realized that even thought https://pear.php.net/ is available, = we > are still downloading the install-pear-nozlib.phar via http:// in > pear/Makefile.frag and makedist > Do you happen to know any reason for keeping it that way or is this only > for historical reasons (maybe pear.php.net did not have proper cert or > configured to accept traffic on 443 originally when the download process > was created) and should be ok to make this more secure(as it would preven= t > MITM attacks). To evaluate the impact: Yes, https is better but shouldn't really matter. End-users shouldn't do this. The release script downloads it and the RM should verify it. Only case where the Makefile.frag should trigger the download is for git users bu they should be few and cautious. (and yes - developers doing this might be an interesting targeted attack vector. Malicious code there knows where the developer keeps the source tree and might inject bad code into the codebase which we notice only with good review of commits ... which we hopefully do ;-) ) johannes --=-1esEY2RN6i1SAJRLpuJA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJVt5WDAAoJEH3sTmn8nIPXls0IANuloDeIzzJ5UyCj9oewAmJP 811ZfijO27krnlEev8XsWGetLnRpWIBfIoXkMbtCqO1JsGvAzEPoPvOVHMAzQ2UC tqR439KcLiO6vsM18dkCnkmopcokX51NBVvCSafZi6pNGKSvz10tDMbItrsknSiu VvBlxGhKEHwufvjzM0n0S9ClPiGcT1F2PZO20t8393cuG4zwlZXDEjJVPeqmeGMw Kv3PZPqlIKJBx5arT9YGsqED0wPd/s0irWPRJ1QpzywhDMZFZKEbqlKHpNoQXT77 M2xqiWfnEOn/bAp7Sna1sMMLYCODLmH22w/lFPF66t9IPrWcuOpZD5K4PHgSh2o= =W+wO -----END PGP SIGNATURE----- --=-1esEY2RN6i1SAJRLpuJA--