On Thu, 3 Apr 2003, Wez Furlong wrote: > The main point of the signature is to allow the end-user to detect if a > mirror site is holding tampered binary (or source) packages. > > I agree that a signature system is a good idea for releases that are > destined to be mirrored, but it just doesn't seem to be much of a high > priority for snaps which are rebuilt every few hours, from potentially > unstable code and intended to be used by people that are testing things > (and thus are ready to deal with breakage).
I'm of the opinion that once we start down this path it cannot be retracted. Thus, we should take every step possible to ensure it is done right, and not in a half-assembled manner as this proposal requests. > This is a moot issue: PHP 5 is alpha and there is no signature system in > 4.3.x, so there is no more danger in providing an unsigned official PHP > 4.3.x PECL extension than there is in forcing third parties to compile > and distribute their own... You're right that it's a moot point for 4.3. But if we ever hope to have PECL seen as a useful feature/functionality, now is the time to provide a stable framework, not after something has gone wrong (and it doesn't have to be from something we/PHP have done). The potential for damage that this can cause is high. It's typically harder to re-gain trust, and this is the cause of my hesitation to opening this up. > By all means lets have a certification system in PHP 5 (provided > someone steps forward and actually implements it, and volunteers to > audit and review the code etc. etc), but there is no need to hold back > people using 4.3.x in the meantime. Once again it would need to be defined and written at the very least. > The real question is how easy it is to prep the win32 snap building > machine to fetch and build the latest stable versions of these PECL > packages. Thats a question I don't know. >---------------------------------------------------------------< Dan Kalowsky "I'll walk a thousand miles just http://www.deadmime.org/~dank to slip this skin." [EMAIL PROTECTED] - "Streets of Philadelphia", [EMAIL PROTECTED] Bruce Springsteen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
