Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116438 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 6463 invoked from network); 17 Nov 2021 11:34:49 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 17 Nov 2021 11:34:49 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 870B61804BD for ; Wed, 17 Nov 2021 04:29:57 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 17 Nov 2021 04:29:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1637152194; bh=kmsujIFD4raiybvYstfMNdJUXxG9usoumjnLDkCWhQs=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=cTF/333QUYkbWyxkkBT/377D9lg8kaboP7Iv9d2+bElVerHBMrjCCxht9PDaF1x4S ERdqL0D//UO2uaXIXiTkfUlmqeD87+eMowQ+TdZR4mFkgfewuNcBucbs5qsjA4UPXK 5E1leW6pahRUg0UwOTu9Bc1Tdl/sSddQTTAq6xKQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.130] ([79.222.46.182]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MvK0X-1mVn5U41WT-00rDkO; Wed, 17 Nov 2021 13:29:54 +0100 Message-ID: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> Date: Wed, 17 Nov 2021 13:29:53 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 Content-Language: de-DE To: Nikita Popov , =?UTF-8?Q?Bj=c3=b6rn_Larsson?= Cc: PHP internals References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:2XiRP0ZaLS273aj9fpluXgn8BBSYXR8OeR3g21JnvcHMy5SvUcT L8kybLfIa1OCjgosW+IS8G/nPFUmiLOQoAnHJsowD/q0ikjd5kC221xpQ/kfQ8UUhyZhO7p jt48bJ/KyEPQMrY91jsrYZoWl6+TphDtDqwp0RuNtm2vqVGHvB83SaHnRpME3vyE7m4UDsv oZYcLlz6mC1QAMispkeGA== X-UI-Out-Filterresults: notjunk:1;V03:K0:JZVFRnTsWxc=:NcUm+/Uv2V26m5o6zF1jmc DhKhHLOHo1KN2WXJqsvc77jyz7svHi5hqgIfAo42QH2IBGZ8aoh7Qylq1L3AGTSlRjxQEKs/l ntYA4Yf9oyKMH0SU+1GUcMFYrkKTozXCdt5lC29KeJJVB7lAqiQED9q6k5tluoK2rqKiL3Cwl clc3x8FvOzv9z5ZKa8rONjI8hab7N5+1DOmx6Km1VgMdw+qlHOkbCoWrfMy1PCXmkG3fp3p/Q QarcD6189X1TzGzPIV/rVUlN+2yBBl2Sy+I7euTfcolu6Xh1zJqSw+Fa1ZZnr8HUIlfPd4RIG Fs/Fcty14FEBfG42PFCfTK+C7PItiiJrnwL6cITjfFoLNu5z9thyjlrrcbPsbzgQSxUO+Tmlp kC4l2rR+rqBfm+/5YiXnZzi9yh2F/99AKg6BF+x3D7IZ+sn8r5NMoNXh9f9Oz+4wgs5qKIz8o eU1f5JP8zbOX6DOUKULoCYHGuiQXkN9xBV8QwKJQMTmuf0xV0o4EUswc1im68IuzbohxslXaw J86uRwu7L49mRYaG9KyKvhhSLNFEYytdzxlAdp9E5ofUn/pm5QvQGVbwdeONxVs16rErdbgdh qDieCdM0kpQfFE/M9hhnsjwtnBAuYjUfQblIiw4nKo+8LWTWTmbFhp2EQQRBT+dBR8oZmiD83 95MJqFf9IUW2ofMkKtuqJHJdLUemi+TcEMHWfqJIiBE/hiiJiNKBzASMGAosDjEQtWJJFIj6R MuyfzJrskLmcYejuNaC18Dv3m1A9YVNuo7XTvoPI99/U+0yoEKYYzYmM4jUKDBUlNVyPvLFuD K28wvbqfbcQifr8nC7XakydF//A8dL1MlytRBtNjqb4fAt5qE+J2rEAxT29pDeONFtSyQswM3 8C/WFGyqxt3TBLkasnrXwDwRk6iKeHrJqk5/kvFbC+FGKXmxLVm/vJCjqhNQrFQ6READnUFgy B2Byry2BePsRPKp2FG6E6Mk/UAFJWIQHJE+i5uMFhdR4MfZJ+uRFsXhcG3Frj0FBNKrqLoAtU cemt2BsCqfva4Ux2sGT4pjMed9jXYLB0UAJ1u+g8YsSR86mK8lTiDVg8kuEadcK8EokPwPxh0 5EHAyOpS3VbiZ0= Subject: Re: [RFC] Migrating to GitHub issues From: cmbecker69@gmx.de ("Christoph M. Becker") On 17.11.2021 at 13:01, Nikita Popov wrote: > On Mon, Nov 15, 2021 at 9:18 PM Bj=C3=B6rn Larsson > wrote: > >> Den 2021-11-02 kl. 15:19, skrev Nikita Popov: >>> Hi internals, >>> >>> The migration from bugs.php.net to GitHub issues has already been >> discussed >>> in https://externals.io/message/114300 and has already happened for >>> documentation issues. >>> >>> I'd like to formally propose to use GitHub for PHP implementation issu= es >> as >>> well: https://wiki.php.net/rfc/github_issues >>> >>> Regards, >>> Nikita >>> >> Hi, >> >> The current proposal is to move all new issues from bugs.php.net to >> Github except security ones. >> >> I think it's important to think a bit on what that means for reporting >> security issues in the future. I mean, if we leave bugs.php.net to rot >> in the corner, what are the consequences for reporting security issues? >> >> I think that aspect needs to be a bit further analysed like: >> - Will this move have a negative impact on reporting security issues >> on bugs.php.net? >> # Both from a technical and people perspective. >> - Can one assume that by bugs.php.net having probably even less >> attention, that reporting security issues will work as is? >> - Is there an alternative for also handling security issues? >> >> Think it would be good if the RFC could analyse that a little, besides >> saying business as usual for security issues. > > I don't think there's much more to say than that -- it should indeed be > business as usual. The only complication I see for security issues is th= at > we will not be able to easily move security issues that turn out to be > non-security bugs over to GitHub. As such, we may have a very low number= of > new bugs appearing on bugs.php.net by being reported as security issues > first and being reclassified later. I don't view that as an immediate > problem, because to start with, we'll still be working with recent repor= ts > on bugs.php.net anyway. Longer term, I do hope that GitHub will provide = a > way to report issues privately (i.e. as indicated in > https://github.blog/2021-11-12-highlights-github-security-roadmap-univer= se-2021/), > so that we can consolidate everything in one tracker. But given the lack= of > clear roadmap for this, I'm not basing any plans on it yet. > > I do think that the handling of security issues is the weakest part of t= his > move, and probably the only area where choosing a different platform cou= ld > have a tangible advantage. However, we receive orders of magnitude less > security issues than other reports, and there is a much smaller number o= f > people involved in handling them, so I don't think we need to put too > strong a focus on this aspect. Right. An alternative might be to let users report security issues to the security mailing list, where, if the issue turns out not to be a security issue, the reporter could still be asked to submit a GH issue about the bug. In that case it might be useful to add more devs to the security mailing list. Christoph