Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114323
Return-Path: <kontakt@beberlei.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44593 invoked from network); 10 May 2021 07:49:41 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 10 May 2021 07:49:41 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 93CAC1804C8
	for <internals@lists.php.net>; Mon, 10 May 2021 00:57:08 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <kontakt@beberlei.de>
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 10 May 2021 00:57:07 -0700 (PDT)
Received: by mail-wr1-f42.google.com with SMTP id l13so15515875wru.11
        for <internals@lists.php.net>; Mon, 10 May 2021 00:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=beberlei-de.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8nbu9bzr/UqzeqUSz+nJRRujLqVQAsctLI6RvUzZ7DM=;
        b=GB9AoDPd7Lg5tW0vQ/9z5XGwbmZURTpT3wt7RQkE/odRcRlLY4186yxKcXZTeSey7G
         QJ5L0HgEDFEWLqDd3QiKgx7Z0TPqa7ahSWsnKm1IE3XomujgSa4/v6Ij0YYWshV/F2S5
         ApntJCxcL0dbS2+NrWmhWWkO6pU4B6zGfVEDMED9Dg4iB+pqz72zU3BKB9bFo3oNwIiX
         2y0BzZyAyIQFRrNavgKYhM86hJkQfnJYl32SaprWm0PAv5T1Z9JRrKs/KvwrFRTgsD/g
         Igcwyqz9aASnC8r3lAVkj2UeK9onm+4PxQp861QEIBeorPGtfyqAy5hUh1uvi+6TJRay
         M75g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8nbu9bzr/UqzeqUSz+nJRRujLqVQAsctLI6RvUzZ7DM=;
        b=goENhDRuk6agI4FUCfdZXNSKida0WlZQIq9Ni33L4mbMQ9Q81VbO5+7A0AtMImSMnO
         SpKBNOXvIe4u5jl1hkhIF5LjuJCHHVZx+er9nh6ke0o+Rb4osLIAzOGUpBFwJfwtUmPR
         CbYw0Bt+kkAb98V7U5GayYib31Q05bkisJ3xLCIUM40XKpTKIYz9WzL3uAwv37bDX5qn
         b19QyrKFv99+/i8F81MWKh2VLYu4hPmwXpGe53ZkxbYiSuJOU69A6X9VrCXJqDONUnRK
         lYhexVCI/TKLk+zFJXA2fj4cdHgSUzeSEgOcTfXvzjI7uBDC4CKHC1PKjBEvhPaOcHAe
         mmCQ==
X-Gm-Message-State: AOAM532NRn7monOxPBKcjMlBdkM1xGyaM7zec16qPz4UJTwZdPqrZRve
	nxuZYomQLmL/V4K5/rRG+BN7mVCaZDu4pmK5a4nlmA==
X-Google-Smtp-Source: ABdhPJyGphV1NiVPeMAaEalwk87d2eqSckXrqkFsgXRq799owsh3W1VedDU6jqWVdqzWL9qCN0rvzZPi8XtGu2MIbQk=
X-Received: by 2002:adf:f1ca:: with SMTP id z10mr28794386wro.271.1620633426390;
 Mon, 10 May 2021 00:57:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAOwTYAtOti3+Tv9Cu5fK6bQ3tjAibRHUWOctnQFfGJyaoQYExw@mail.gmail.com>
In-Reply-To: <CAOwTYAtOti3+Tv9Cu5fK6bQ3tjAibRHUWOctnQFfGJyaoQYExw@mail.gmail.com>
Date: Mon, 10 May 2021 09:56:55 +0200
Message-ID: <CAEPJduk5P7b9UrO-PJxg=LZ4MnUSfNjC+Q6UiKBiDDWX76hXFg@mail.gmail.com>
To: Joe Watkins <krakjoe@php.net>
Cc: PHP internals <internals@lists.php.net>, 
	PHP Release Managers <release-managers@php.net>
Content-Type: multipart/alternative; boundary="000000000000b128e905c1f51f70"
Subject: Re: [PHP-DEV] Bugsnet
From: kontakt@beberlei.de (Benjamin Eberlei)

--000000000000b128e905c1f51f70
Content-Type: text/plain; charset="UTF-8"

On Sun, May 9, 2021 at 8:49 AM Joe Watkins <krakjoe@php.net> wrote:

> Morning internals,
>
> We have a spam problem on bugsnet, it's not a new problem. Nikita had to
> waste time deleting 20 odd messages from bugsnet yesterday and this is a
> common, daily occurrence. We clearly don't have time for this.
>
> Quite aside from spam problems, bugsnet is hidden away in a dark corner of
> the internet that requires a special login, doesn't integrate with source
> code or our current workflow (very nicely), and doesn't get updated or
> developed.
>
> Having moved our workflow to github, now seems to be the time to seriously
> consider retiring bugsnet for general use, and using the tools that are
> waiting for us - Github Issues.
>
> I'm aware that bugsnet serves as the disclosure method for security bugs
> and github doesn't have a solution to that. Leaving that to one side for
> now ...
>
> I'm also aware that bugsnet carries with it 20 years worth of crusty old
> feature requests and bugs, that are never realistically going to be dealt
> with. In the past I've spent time trying to close very old bugs that no
> longer seem relevant, the fact is that there are so many of these that I
> don't think I made a dent.
>
> It seems obvious that we don't want to migrate all of the data on bugsnet,
> but nor do we want to loose the most recent and relevant reports.
>
> I propose that we disable bugsnet for all but security issues leaving
> responsible disclosure method to be handled in some other way at a later
> date. Leaving bugsnet in a (mostly) readonly mode.
>
> We then send a notification to all bugs that were opened against a specific
> and supported version of PHP, notifying the opener of the change and
> requesting that they take a couple of minutes to open their issue on
> github.
>
> I think we might get quite a good response here - anyone suffering the
> worst consequences of bugs - production servers can't be upgraded and so on
> - are already waiting for a notification from bugsnet, I'm sure the
> majority of them will do as we ask.
>
> In some set number of weeks (to be decided), and depending on the response
> to our switching over to github, we can try to determine at that time if
> it's worth trying to import any data from bugsnet. We can also consider at
> this time when it might be appropriate to retire bugsnet entirely.
>
> We will not be free of spam simply by moving, but github has the tools we
> need to moderate the content properly - you can block people. In addition,
> I feel people are less likely to misbehave if they think their co-workers
> or employers might be able to see what they are doing, which may have an
> effect also.
>
> It may be over optimistic, but we might get better engagement with bugs on
> github than anywhere else also - Github is where people are tending to do
> their business today.
>

One downside of this "easy access" is that Github Issues tend to get used
as support question forum, at least from my experience on Doctrine it can
easily be 50% of the issues that are support questions. This is much more
work to process than simple spam issues, because there is a human on the
other side who need to be directed towards the proper support channel.

In addition I agree with Rowans assessment that large projects usually have
lots of automation in place on top of Github issues that we would again
need to configure, write or maintain in one way or another.

bugsweb on the other hand is a "classic LAMP" stack application, so maybe
we could look into removing the infrastructure variable from the hosting
equation and look for a PaaS provider? Spam protection third party services
are also available and might potentially be integrated with in a reasonable
amount of time.


> Github is maintained, hosted, developed, and free, and while it isn't the
> perfect tool for the job, nothing else is either. We could spend time
> (which we don't have) developing bugsnet, or installing some other solution
> in a dark corner of the internet, and solve no problems at all, and be
> burdened with the ongoing maintenance of that solution.
>
> The people who have to spend the most time on this are release managers,
> and so while I'm talking to everyone, it is release managers opinions that
> I'm most interested in, they are the people who will be and have been most
> effected by the shortcomings in bugsnet, whose opinions are most relevant
> in this space.
>
> I don't think a vote is appropriate, this decision should be made by the
> people whose "jobs" are directly effected - with input from the community,
> of course. Not least of all, it will take a month to close a vote, by which
> time we will have wasted another (working) day or more of Nikitas time.
> Having said all that, I am looking for a consensus before we take any
> action. My arm can be twisted, but this is my current position and I think
> it's a reasonable one.
>
> On the issue of responsible disclosure ... we can treat this separately,
> with the recent change in the workflow, this process is in need of review
> anyway. How that is handled should be decided by the people who have a hand
> in that process, and so it seems prudent to leave it aside for now.
>
> Cheers
> Joe
>

--000000000000b128e905c1f51f70--