Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87341
Return-Path: <sebastian@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8074 invoked from network); 28 Jul 2015 15:11:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jul 2015 15:11:28 -0000
Authentication-Results: pb1.pair.com header.from=sebastian@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sebastian@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 93.190.64.237 as permitted sender)
X-PHP-List-Original-Sender: sebastian@php.net
X-Host-Fingerprint: 93.190.64.237 mail-1.de-punkt.de  
Received: from [93.190.64.237] ([93.190.64.237:48030] helo=mail-1.de-punkt.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3F/E0-01209-E9B97B55 for <internals@lists.php.net>; Tue, 28 Jul 2015 11:11:26 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-1.de-punkt.de (Postfix) with ESMTP id B7E2E3A074
	for <internals@lists.php.net>; Tue, 28 Jul 2015 17:11:23 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail-1.de-punkt.de
Received: from mail-1.de-punkt.de ([127.0.0.1])
	by localhost (mail-1.de-punkt.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DWtwxacfHFwN for <internals@lists.php.net>;
	Tue, 28 Jul 2015 17:11:23 +0200 (CEST)
Received: from localhost.localdomain (unknown [193.171.53.67])
	(Authenticated sender: php@sebastian-bergmann.de)
	by mail-1.de-punkt.de (Postfix) with ESMTPSA id 30D9A3A01A
	for <internals@lists.php.net>; Tue, 28 Jul 2015 17:11:23 +0200 (CEST)
To: internals@lists.php.net
References: <CAH-PCH41UgBmJkvORS-7j5EETcxzkOCqrCX+h6mBvXZZDPaaUA@mail.gmail.com>
 <1438094723.27690.4.camel@kuechenschabe>
Reply-To: internals@lists.php.net
Message-ID: <55B79B9A.7000903@php.net>
Date: Tue, 28 Jul 2015 17:11:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <1438094723.27690.4.camel@kuechenschabe>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] use https when downloading the pear installer
From: sebastian@php.net (Sebastian Bergmann)

On 07/28/2015 04:45 PM, Johannes Schlüter wrote:
> (and yes - developers doing this might be an interesting targeted
> attack vector. Malicious code there knows where the developer keeps
> the source tree and might inject bad code into the codebase which we
> notice only with good review of commits ... which we hopefully do ;-)
> )

 If this really only affects the developers of PHP then how about
 toggling the default and not build --with-pear by default? Developers of
 PHP don't really care about PEAR anyway, or do they?