Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87342 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9908 invoked from network); 28 Jul 2015 15:23:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2015 15:23:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net Received: from [217.114.215.10] ([217.114.215.10:58342] helo=mail.experimentalworks.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1A/41-01209-85E97B55 for ; Tue, 28 Jul 2015 11:23:05 -0400 Received: by mail.experimentalworks.net (Postfix, from userid 1003) id 5C64342C93; Tue, 28 Jul 2015 17:23:02 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on km31408.keymachine.de X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-HAM-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Received: from [192.168.2.34] (ppp-93-104-11-125.dynamic.mnet-online.de [93.104.11.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: johannes@schlueters.de) by mail.experimentalworks.net (Postfix) with ESMTPSA id B98B142C91 for ; Tue, 28 Jul 2015 17:23:00 +0200 (CEST) Message-ID: <1438096979.27690.10.camel@kuechenschabe> To: internals@lists.php.net Date: Tue, 28 Jul 2015 17:22:59 +0200 In-Reply-To: <55B79B9A.7000903@php.net> References: <1438094723.27690.4.camel@kuechenschabe> <55B79B9A.7000903@php.net> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-qJGOIP3nipaK6AccIfBC" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Subject: Re: [PHP-DEV] use https when downloading the pear installer From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) --=-qJGOIP3nipaK6AccIfBC Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2015-07-28 at 17:11 +0200, Sebastian Bergmann wrote: > On 07/28/2015 04:45 PM, Johannes Schl=C3=BCter wrote: > > (and yes - developers doing this might be an interesting targeted > > attack vector. Malicious code there knows where the developer keeps > > the source tree and might inject bad code into the codebase which we > > notice only with good review of commits ... which we hopefully do ;-) > > ) >=20 > If this really only affects the developers of PHP then how about > toggling the default and not build --with-pear by default? Developers of > PHP don't really care about PEAR anyway, or do they? Mind that this only affects "make install" if you don't install it won't be loaded. For a developer I hardly see a reason to install (building shared extensions out of tree might be a reason) but if they do the experience should be as similar as possible to make sure the tested behavior is what the user sees. An approach might be to remove the automatic download and instructing the user to put the file there manually if this is seen as important. johannes --=-qJGOIP3nipaK6AccIfBC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJVt55TAAoJEH3sTmn8nIPXhLoH/ic1lHagLMvS+4aHJzzKl3+P 2Bt8YiuFM1cCCqq8hr6H4HD2IOSV5Q0jrm/1S6zpBRKsfou+ApRITljccYnRU1TX qsUC8YoY1pPtywABq+pqr5CDjqt2zJLuHn/ZN5wDOihJYzNC1T8YT/o/0Z1I7wqW tlh31sXbm+L45F6MOrsZg3Ww07AEKqf4GRLbR8I2rHoqTMCd4Bhf7UUAJfltuhai fXtt0/rIAQom3rcNEIylEV0LQIrszuWP10ay88dp2vgT7NYe1CC4xswNkqdzIHYR VCNdBp0C/WYiVAcs8fwzdzTM+m6/RW+KGS3yB75CCS88pAHMFnlHxnIhl4r88H8= =OOFd -----END PGP SIGNATURE----- --=-qJGOIP3nipaK6AccIfBC--