[dev] PEAR GPG signing (patches)

Mathieu Parent math.parent at gmail.com
Tue Nov 5 13:13:05 UTC 2013


2013/11/5 Michael M Slusarz <slusarz at horde.org>:
> Following our discussion from a few weeks ago, I got off my butt and decided
> to force the issue with the PEAR/PHP folks by actually writing the code
> needed to do GPG signing/verifying in PEAR.

This is a great way forward.

Some notes:

Can we really rely on md5sums to check files? (response is probably no
[1]). A solution would be to add sha1sum to package.xml.

Maybe the sign check should be moved to the same place as the checksum
check [2]. Currently the code only check signature on tgz or directory
(but not whe package.xml is directly given).

[1]: http://en.wikipedia.org/wiki/MD5#Security, even if pre-image
attack is theorical
[2]: https://github.com/pear/pear-core/blob/a71c2ae53dffdfa6bea5a6b023e4511ef50dea47/PEAR/Installer.php#L407

>
> I have no clue what sort of speed PEAR patches are accepted this day - so I
> may have mentioned that the Debian packagers are very interested in this
> feature (apologies - can't recall off the top of my head who the Debian dev
> is, and I hope I haven't misstated your position).

This were me, I'm a Debian PEAR packager and Debian Horde packager,
but not a php packager. But I will push thoses changes once they are
approved.

-- 
Mathieu


More information about the dev mailing list