| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.9.4 |
| Request #10765 | check signature when installing/upgrading files | ||
|---|---|---|---|
| Submitted: | 2007-04-18 02:32 UTC | Modified: | 2007-06-01 11:11 UTC |
| From: | cweiske | Assigned: | |
| Status: | Open | Package: | PEAR (version 1.5.2) |
| PHP Version: | 5.2.1 | OS: | |
| Roadmaps: | 2.0.0 | ||
[2007-04-18 02:32 UTC] cweiske
(Christian Weiske)
Description:
------------
If a package contains a package.sig file, it should be used to verify the validity of the package. Currently, you can sign a package, that signature is used nowhere.
Comments
[2007-06-01 03:15 UTC] cweiske
(Christian Weiske)
Especially with mirrors and other channel servers than ours, security becomes a great concern. Given that PEAR can be used as a general install tool, it should have the same security standards/features as other package managers have, and this means security checks by package signatures.
[2007-06-01 03:19 UTC] cweiske
(Christian Weiske)
http://it.slashdot.org/article.pl?sid=07/05/31/1226222
is also a concern for pear as long as we don't check sigs and/or have ssl rest connections.