Package: movim Version: 0.14.1-5 Severity: normal Hi,
I just noticed that the movim package depends on composer. Looking further, it seems to use the ClassLoader feature of Composer. I’m not sure this is a proper (nor optimal) way to load classes in a production system, I’m not even confident that’s a secure way to do it. I thus would like to advise the use of a tool like phpab in order to generate an autoload at build time, and let movim use this static autoload at run time. As an example, may I point you to the composer package that uses this technique. This bug is X-Debbugs-Cc to the <pkg-php-p...@lists.alioth.debian.org> list, maybe it could be a good place to discuss the issue further if you want to (I tried to keep this report short), and I’m also open to help moving to a static autoload.php (by providing a patch to this report for example). Maybe some movim dependencies are affected by a similar issue, I didn’t open similar reports in those packages right now to avoid splitting the discussion in various places. I’d like to advise hosting those dependencies under the “Debian PHP PEAR (and Composer) Maintainers” umbrella by the way. Regards David
signature.asc
Description: PGP signature
