[php-maint] An automatic script to build PEAR packages

Raphael Geissert atomo64+debian at gmail.com
Wed Dec 30 06:09:12 UTC 2009

[Last message CC'ing the ML, it is getting a bit offtopic]

2009/12/29 Thomas Goirand <thomas at goirand.fr>:
> Hi Raphael,
> Thanks for your answer.
> Raphael Geissert wrote:
>>> Let's say if the workflow is that I create or update php package, then I
>>> send a mail with the link of my .dsc file on this list, then one of the
>>> member of the pkg-php team review it and upload, instead of just asking
>>> -mentors, would you think it's the way to go?
>> The procedure I'd prefer would be:
>> * You prepare the package, if you don't have a sponsor you send a RFS
>> to here and -mentors
>> And then if I say I'll sponsor it, I review it and give you feedback
>> for you to improve the package over and over again until it is ready.
>> Finally, I upload it and when there are updates (bug fixes, new
>> version, etc) you contact me.
> What's the point send a request to BOTH -mentors and here? Shouldn't I
> just ask here, and if you don't want to, I ask someone else? I believe
> it's better to ask people I know in Debian, than just ask in -mentors
> for nothing. In my experience, posting to -mentors is often useless as
> nobody would pickup the package 80% of the time, if you don't know
> anyone. I'd rather ask a specific person that I know has a chance to
> accept each time, I know it works better.

Depending on the urgency of the upload it might be possible for
somebody to sponsor it sooner when posted to -mentors, as there are
times everyone here is busy.

> Also, I have an AM that has been assigned to me, so I hope all this
> sponsoring needs will soon be over. I'll do my best not to be soft
> rejected because of my stupidity this time! :)

Let's see how you do this time ;-)

>>>> Send me an email with links to the .dsc of the PEAR packages and I'll
>>>> check them.
>>> Sure! Here's the ones to check for update:
>>> http://ftparchive.gplhost.com/debian/pool/lenny/main/p/php-compat/php-compat_1.6.0a2-1.dsc
>>> http://ftparchive.gplhost.com/debian/pool/lenny/main/p/php-crypt-cbc/php-crypt-cbc_1.0.0-1.dsc
>> Ok, will check them. When do you plan to update php-net-ping?
> That's done. As of today, ALL of my php-* packages that needed update
> (because of a new version of the upstream version) are in our Debian
> repositories and mirror. Obviously, php-net-ping is in:
> http://ftparchive.gplhost.com/debian/pool/lenny/main/p/php-net-ping/
> It seems that the way it has been patched in the upstream version is
> different from the one by the security team. The upstream uses
> escapeshellcmd(), while the security team patch uses escapeshellarg().
> Does anyone has comments to do on this?

Yes, I mentioned that a couple of emails ago. The fix applied by
upstream is incomplete as it still permits an argument injection
attack, the DSA has more details.
Since you maintain multiple php packages you should learn more about
php security issues, how to identify and fix them.

>>> The goal of the one just above is to have php-text-captcha (and all its
>>> dependencies) working as I need a good captcha system. I didn't try it
>>> yet, so I'm not sure yet if this captcha is efficient. Has any of you
>>> tried, and know if it's worth the effort to have it packaged in Debian?
>>> I may give up if someone says I should, or if there is a better alternative.
>> It's been a while since I've last used it. Nowadays I would use
>> reCAPTCHA instead.
> Is that a hosted service? Meaning that you need to register on the
> website, and rely on them? If so, then I don't like it at all. I don't
> see why I should rely on something external, even if it looks better.

Yes and yes.

>> We have svn and git repositories setup and in use.
>> Check the way the current packages are organised in the repositories.
>> Cheers,
> I didn't find the repository. Can you give me the URL of the git and
> gitweb of it?


Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the pkg-php-maint mailing list