Hi,
I've just realized that even thought https://pear.php.net/ is available, we
are still downloading the install-pear-nozlib.phar via http:// in
pear/Makefile.frag and makedist
Do you happen to know any reason for keeping it that way or is this only
for historical reasons (maybe pear.php.net did not have proper cert or
configured to accept traffic on 443 originally when the download process
was created) and should be ok to make this more secure(as it would prevent
MITM attacks).
What do you think?
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Hi,
I've just realized that even thought https://pear.php.net/ is available, we
are still downloading the install-pear-nozlib.phar via http:// in
pear/Makefile.frag and makedist
Do you happen to know any reason for keeping it that way or is this only for
historical reasons (maybe pear.php.net did not have proper cert or
configured to accept traffic on 443 originally when the download process was
created) and should be ok to make this more secure(as it would prevent MITM
attacks).What do you think?
I think nice catch hat tip.
I'm pretty sure noone cared when this was written ~10 years ago -- we
didn't even have any certificate issued, not even CAcert at that
point.
-Hannes
Hi,
I've just realized that even thought https://pear.php.net/ is
available, we
are still downloading the install-pear-nozlib.phar via http:// in
pear/Makefile.frag and makedist
Do you happen to know any reason for keeping it that way or is this only
for
historical reasons (maybe pear.php.net did not have proper cert or
configured to accept traffic on 443 originally when the download process
was
created) and should be ok to make this more secure(as it would prevent
MITM
attacks).What do you think?
I think nice catch hat tip.
I'm pretty sure noone cared when this was written ~10 years ago -- we
didn't even have any certificate issued, not even CAcert at that
point.-Hannes
I will change it to https in master, and if nobody complains about it after
the next PHP7 beta/RC I will backport it to the lower branches.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Hi,
I've just realized that even thought https://pear.php.net/ is available, we
are still downloading the install-pear-nozlib.phar via http:// in
pear/Makefile.frag and makedist
Do you happen to know any reason for keeping it that way or is this only
for historical reasons (maybe pear.php.net did not have proper cert or
configured to accept traffic on 443 originally when the download process
was created) and should be ok to make this more secure(as it would prevent
MITM attacks).
To evaluate the impact:
Yes, https is better but shouldn't really matter. End-users shouldn't do
this. The release script downloads it and the RM should verify it. Only
case where the Makefile.frag should trigger the download is for git
users bu they should be few and cautious.
(and yes - developers doing this might be an interesting targeted attack
vector. Malicious code there knows where the developer keeps the source
tree and might inject bad code into the codebase which we notice only
with good review of commits ... which we hopefully do ;-) )
johannes
(and yes - developers doing this might be an interesting targeted
attack vector. Malicious code there knows where the developer keeps
the source tree and might inject bad code into the codebase which we
notice only with good review of commits ... which we hopefully do ;-)
)
If this really only affects the developers of PHP then how about
toggling the default and not build --with-pear by default? Developers of
PHP don't really care about PEAR anyway, or do they?
(and yes - developers doing this might be an interesting targeted
attack vector. Malicious code there knows where the developer keeps
the source tree and might inject bad code into the codebase which we
notice only with good review of commits ... which we hopefully do ;-)
)If this really only affects the developers of PHP then how about
toggling the default and not build --with-pear by default? Developers of
PHP don't really care about PEAR anyway, or do they?
Mind that this only affects "make install" if you don't install it won't
be loaded. For a developer I hardly see a reason to install (building
shared extensions out of tree might be a reason) but if they do the
experience should be as similar as possible to make sure the tested
behavior is what the user sees.
An approach might be to remove the automatic download and instructing
the user to put the file there manually if this is seen as important.
johannes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
An approach might be to remove the automatic download and
instructing the user to put the file there manually if this is seen
as important.
+1