[dev] PEAR GPG signing (patches)

Ralf Lang lang at b1-systems.de
Tue Nov 5 14:08:40 UTC 2013


On 05.11.2013 14:13, Mathieu Parent wrote:
> 2013/11/5 Michael M Slusarz <slusarz at horde.org>:
>> Following our discussion from a few weeks ago, I got off my butt and decided
>> to force the issue with the PEAR/PHP folks by actually writing the code
>> needed to do GPG signing/verifying in PEAR.
> 
> This is a great way forward.
> 
> Some notes:
> 
> Can we really rely on md5sums to check files? (response is probably no
> [1]). A solution would be to add sha1sum to package.xml.
> 
> Maybe the sign check should be moved to the same place as the checksum
> check [2]. Currently the code only check signature on tgz or directory
> (but not whe package.xml is directly given).
> 
> [1]: http://en.wikipedia.org/wiki/MD5#Security, even if pre-image
> attack is theorical
> [2]: https://github.com/pear/pear-core/blob/a71c2ae53dffdfa6bea5a6b023e4511ef50dea47/PEAR/Installer.php#L407
> 
>>
>> I have no clue what sort of speed PEAR patches are accepted this day - so I
>> may have mentioned that the Debian packagers are very interested in this
>> feature (apologies - can't recall off the top of my head who the Debian dev
>> is, and I hope I haven't misstated your position).
> 
> This were me, I'm a Debian PEAR packager and Debian Horde packager,
> but not a php packager. But I will push thoses changes once they are
> approved.
> 
The same for me on *suse.

-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/dev/attachments/20131105/a0fc92a2/attachment.bin>


More information about the dev mailing list