Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114314
Return-Path: <jakub.php@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66148 invoked from network); 9 May 2021 15:19:26 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 9 May 2021 15:19:26 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 507811804E3
	for <internals@lists.php.net>; Sun,  9 May 2021 08:26:45 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_40,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com [209.85.221.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  9 May 2021 08:26:44 -0700 (PDT)
Received: by mail-vk1-f173.google.com with SMTP id l124so2830972vkh.7
        for <internals@lists.php.net>; Sun, 09 May 2021 08:26:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=HLxFgoKndp92iC08xi350bKxwc3117IW8Zix/42x9B8=;
        b=qFpq4b+j7rXhWq0WvdVO00i28m/MGnzjG32lesSaZz6XEpvSOda6bIgfJKuzfqusU7
         op22U7TUmxMMAqJfWs93nnPudletPd9A3Ar6RF2XOvMUb5PAKT4B6PtOgAcbOQ961teP
         xrASbodiHWfw/9uliq3wsWyMQ11qnwDZ6+R1hEI7R2wKKmAFt+hWztbZbcg28Jp5DxyX
         +9IzGBnQvNm+usnFQVIpvuJvHjR+ph3a5HxH93UQLrFCy9N7DKGwptjLk2gc0hcjFYyi
         CgJOA35+Nxxfa9He/HuzWrnwPqIquNExOjnmc5Niev0JabX1p2GWVyclkKCd0+N0cYms
         VBGA==
X-Gm-Message-State: AOAM533N9CBQyiTanmgZZSA+ZQrMNu6KlG8v9etmY0bNrjAcqxw5vEaD
	AWo061n1Hp6i4ZVIu2FMKx/pDGKvDYX0H7Yv9D2INk/c
X-Google-Smtp-Source: ABdhPJxzhI94fkHmVzPsprVkEB7x5jnvFU+6LHeRaes1Wa1KXF2VKVFBdhyjvdmU7qwDbwA9WcfM67nT6aT0cbiMirw=
X-Received: by 2002:a1f:a406:: with SMTP id n6mr12917013vke.21.1620574001901;
 Sun, 09 May 2021 08:26:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAOwTYAtOti3+Tv9Cu5fK6bQ3tjAibRHUWOctnQFfGJyaoQYExw@mail.gmail.com>
In-Reply-To: <CAOwTYAtOti3+Tv9Cu5fK6bQ3tjAibRHUWOctnQFfGJyaoQYExw@mail.gmail.com>
Date: Sun, 9 May 2021 16:26:31 +0100
Message-ID: <CAEKnhAGJDF=6MrouugBZMZdLGGrwZ=CribNKuH4J+2vGsTt5dw@mail.gmail.com>
To: Joe Watkins <krakjoe@php.net>
Cc: PHP internals <internals@lists.php.net>, 
	PHP Release Managers <release-managers@php.net>
Content-Type: multipart/alternative; boundary="000000000000b731a605c1e749e7"
Subject: Re: [PHP-DEV] Bugsnet
From: bukka@php.net (Jakub Zelenka)

--000000000000b731a605c1e749e7
Content-Type: text/plain; charset="UTF-8"

Hi,


> Having moved our workflow to github, now seems to be the time to seriously
> consider retiring bugsnet for general use, and using the tools that are
> waiting for us - Github Issues.
>

+1, I have been dealing with bugsnet quite a bit as part of maintaining
openssl ext and FPM and it really sucks. Github issues are much better from
the maintainer point of view.


> I'm aware that bugsnet serves as the disclosure method for security bugs
> and github doesn't have a solution to that. Leaving that to one side for
> now ...
>

NodeJS uses hackerone which has got free plans for open source so that
might be an option. I'm sure there are more options and we don't have to
keep bugsnet for that too. But agree that starting with normal bugs and
requests is a way to go.


> I'm also aware that bugsnet carries with it 20 years worth of crusty old
> feature requests and bugs, that are never realistically going to be dealt
> with. In the past I've spent time trying to close very old bugs that no
> longer seem relevant, the fact is that there are so many of these that I
> don't think I made a dent.
>

Lots of them are still valid though. At least the ones for openssl and fpm
that I track. It's not completely true that they are not going to be dealt
with. For example just recently Christoph made a PR for pkcs7 issue
reported in 2005 and I'm looking to the way how to write a test for it.
Just want to say that those are still valid and we will likely need some
kind of migration for many of those bugs even though OP is not active. It
could be just a tool that maintainers can use for selected bugs. I guess
just having some export in json for each bug would be great. Then the tool
to create a new issue and comments in gh would be easy - I could even write
it myself.. :)


> It seems obvious that we don't want to migrate all of the data on bugsnet,
> but nor do we want to loose the most recent and relevant reports.
>
> I propose that we disable bugsnet for all but security issues leaving
> responsible disclosure method to be handled in some other way at a later
> date. Leaving bugsnet in a (mostly) readonly mode.
>

Could we just leave it editable for VCS users only? That would help with
tracking and closing the migrated issues. It would eliminate spam so it
should be fine to keep it like that for some time.

Cheers

Jakub

--000000000000b731a605c1e749e7--