fix-docker-pecl: Fix Dockerfile after pear.php.net hack #6641
Conversation
|
To be honest, i’m Not sure what we even need pear for.... |
|
For building the deprecated mcrypt, for the LegacyEncrypter? |
|
Ah, yeah - maybe some of the stuff in the Maybe it makes sense to move the recrypter into a separate package, so the 95% of the people who will never use it don't have to carry around that old dependency. |
|
I will try to replace the mcrypt RIJNDAEL_* with the openssl AES_* equivalents, if I get some time. Mcrypt isn't coming back. |
|
Oh of course it’s not - the only reason we keep the legacy stuff there is because if someone has a very old install (which used mcrypt) and had anything encrypted in it (encrypted custom fields, LDAP password, etc), without running the recrypter, that info in the database would be irretrievably lost when they upgrade. It’s a small percentage of people as far as I can tell, but upgrading without recrypting would be data destructive. Believe me, I wouldn’t have built that abomination if I didn’t have to. |
pear.php.net was distributing a hacked go-pear.phar and is now offline. Change Dockerfile to get known good phar from github.
see:
https://blog.rapid7.com/2019/01/22/php-extension-and-application-repository-pear-compromise-what-you-need-to-know/