Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.16

Request #10765 check signature when installing/upgrading files
Submitted: 2007-04-18 07:32 UTC
From: cweiske Assigned:
Status: Open Package: PEAR (version 1.5.2)
PHP Version: 5.2.1 OS:
Roadmaps: (Not assigned)    
Subscription  


 [2007-04-18 07:32 UTC] cweiske (Christian Weiske)
Description: ------------ If a package contains a package.sig file, it should be used to verify the validity of the package. Currently, you can sign a package, that signature is used nowhere.

Comments

 [2007-06-01 08:15 UTC] cweiske (Christian Weiske)
Especially with mirrors and other channel servers than ours, security becomes a great concern. Given that PEAR can be used as a general install tool, it should have the same security standards/features as other package managers have, and this means security checks by package signatures.
 [2007-06-01 08:19 UTC] cweiske (Christian Weiske)
http://it.slashdot.org/article.pl?sid=07/05/31/1226222 is also a concern for pear as long as we don't check sigs and/or have ssl rest connections.