Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.10.15

Bug #11181 pear requests channel.xml from main server instead from mirror
Submitted: 2007-05-30 23:27 UTC
From: cweiske Assigned: dufuz
Status: Closed Package: PEAR (version 1.5.4)
PHP Version: Irrelevant OS:
Roadmaps: 1.9.0    
Subscription  


 [2007-05-30 23:27 UTC] cweiske (Christian Weiske)
Description: ------------ ethereal/wireshark shows that using config-set preferred_mirror de.pear.php.net causes package info and files to be downloaded from the mirror, but channel.xml files are still requested from the main server (pear.php.net)

Comments

 [2007-05-31 20:09 UTC] saltybeagle (Brett Bieber)
I believe this is done for security reasons - PEAR should verify that a mirror is approved by the official channel before allowing a preferred mirror to be set.
 [2007-05-31 20:16 UTC] cweiske (Christian Weiske)
You misunderstood: the channel.xml file is *always* transferred from the main server (list-all, install, ...), not only when setting the mirror.
 [2007-06-01 02:48 UTC] cellog (Greg Beaver)
The check is simply to test for updates to the primary channel.xml and print the "warning: channel pear.php.net has updated protocols use pear channel-update pear.php.net" I see two possible solutions: 1) don't make this check if a preferred_mirror is set 2) assume that mirrors are trustworthy I am also leery of #2 for security reasons. Sure we can trust PEAR mirrors, but should we assume this is always true? I suppose we could amend the channel.xml format to specify whether a mirror is trusted, but this starts to get a bit too complex. What about just implementing #1?
 [2007-06-01 07:31 UTC] cweiske (Christian Weiske)
The security problem does surely exist. But installing packages from a malicious channel is even worse than not getting the wrong channel.xml. So: 1) The user explicitely tells you that he wants the mirror by using config-set preferred_mirror and knows of security implications. In that case, everything should be done with the mirror (remember, it's to unburden the main server), also checking channel.xml. 2) Mirrors are not trustworthy and should not be used at all OR have the explicit permission from the main server. This should be checked when changing the mirror: config-set preferred_mirror -> load list of "official" or trustworthy channels from main server -> if it's not in the list, ask the user if he really wants that and do it anyway if he does. That way, we'd also get a list of mirrors through pear cmdline tool that could be accessed via channel-mirrors-list or so.
 [2007-06-01 16:10 UTC] cellog (Greg Beaver)
pear config-set preferred_mirror will only work if the mirror is listed in the channel.xml downloaded from the primary server, so this does indeed put the burden of trust on the primary server already. The mirror is serving REST and .tgz files which are far more important than the channel.xml ultimately, I think the security question is bogus, and this should be implemented (it's an easy fix in PEAR_Downloader->download())
 [2007-06-01 23:15 UTC] cellog (Greg Beaver)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2009-04-17 05:01 UTC] yunosh (Jan Schneider)
Unless I misunderstood the final comments in this ticket, this popped up again at least since version 1.7. channel.xml is always loaded from the main server, while I have read Greg's final comment as if it should be loaded from the mirror.
 [2009-04-17 17:25 UTC] cweiske (Christian Weiske)
-Status: Closed +Status: Open -Assigned To: cellog +Assigned To: dufuz
 [2009-08-02 17:58 UTC] dufuz (Helgi Þormar Þorbjörnsson)
-Status: Assigned +Status: Closed
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.
 [2009-08-02 17:59 UTC] dufuz (Helgi Þormar Þorbjörnsson)
Jan, can you test this again? Christian and my self don't experience this with the latest svn trunk.