On Tue, 2015-07-28 at 17:11 +0200, Sebastian Bergmann wrote: > On 07/28/2015 04:45 PM, Johannes Schlüter wrote: > > (and yes - developers doing this might be an interesting targeted > > attack vector. Malicious code there knows where the developer keeps > > the source tree and might inject bad code into the codebase which we > > notice only with good review of commits ... which we hopefully do ;-) > > ) > > If this really only affects the developers of PHP then how about > toggling the default and not build --with-pear by default? Developers of > PHP don't really care about PEAR anyway, or do they?
Mind that this only affects "make install" if you don't install it won't be loaded. For a developer I hardly see a reason to install (building shared extensions out of tree might be a reason) but if they do the experience should be as similar as possible to make sure the tested behavior is what the user sees. An approach might be to remove the automatic download and instructing the user to put the file there manually if this is seen as important. johannes
signature.asc
Description: This is a digitally signed message part
