On Mon, 2015-07-27 at 09:32 +0200, Ferenc Kovacs wrote: > Hi, > > I've just realized that even thought https://pear.php.net/ is available, we > are still downloading the install-pear-nozlib.phar via http:// in > pear/Makefile.frag and makedist > Do you happen to know any reason for keeping it that way or is this only > for historical reasons (maybe pear.php.net did not have proper cert or > configured to accept traffic on 443 originally when the download process > was created) and should be ok to make this more secure(as it would prevent > MITM attacks).
To evaluate the impact: Yes, https is better but shouldn't really matter. End-users shouldn't do this. The release script downloads it and the RM should verify it. Only case where the Makefile.frag should trigger the download is for git users bu they should be few and cautious. (and yes - developers doing this might be an interesting targeted attack vector. Malicious code there knows where the developer keeps the source tree and might inject bad code into the codebase which we notice only with good review of commits ... which we hopefully do ;-) ) johannes
signature.asc
Description: This is a digitally signed message part
