Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116448 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3899 invoked from network); 18 Nov 2021 12:58:09 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Nov 2021 12:58:09 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A86E3180544 for ; Thu, 18 Nov 2021 05:53:36 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 18 Nov 2021 05:53:36 -0800 (PST) Received: by mail-lf1-f44.google.com with SMTP id m27so26293125lfj.12 for ; Thu, 18 Nov 2021 05:53:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=91AaPLbCVocn7J2HzmYKq+KOpNr4B1kseT+/nA873W0=; b=o0Gtlb7qfTsrVDRIQtgRfDn9YDjdDspDQ4gv7u293UxgWVdyOl2z18KD/YeiZavbPe yK2ynsklJOvMK3f3THBCheKDfnLO+bEzaUKsIohRnWuTLa6rLirs/AKUBVZepKbptgJN xGfnigIFkUggocS46aLxqpHNiWuMxh1cuhviPbwVJay7kMp4Z4PZGPtPlfr/ISBkZ8Sh Pe130sA9UwwFvpz8mRPSd+sapalAcGz4TvlyHReELu+q2MbGujV8cHnsT7ZQFGsdCYhh C2Hg3lNfhEFaGy82+0oqVAyZ9NXaPjWe0pEsR7pBayCOaiOiUVEVArcP7fQbH7cM+17y JuWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=91AaPLbCVocn7J2HzmYKq+KOpNr4B1kseT+/nA873W0=; b=SQOxSoAvLgRwyN04PRtnEZWLyXVykdbtilGiG3x7SZltKLzMFwrExlf0pp4+APPDMY 9Fsz/l8hKI30ipCFs+hV2Q9xoFnSkzxEydsAXnD1FNj2tndMYV7Dz/t5iVHcnPxUoxdb oKrF+FiHuP4rWCa9SpmZAGzJ2OptqhF5DpEm8VOA/Z84AX3j4FUFStP+BOeszn/DijxP KLhzPTRXby08myIU6AIHJ5c8EtfPj+05sz3aD3/v11yXBw+RHopL1W7/jCD+Pcdj45wH //F1HQJEC4jt1f/Yu9xkomCoOOrcz5945uQdsmh+f3MRcKAISfKAHYGcu8hzPmzYI+dO FNoA== X-Gm-Message-State: AOAM532asD9imAFWr89Y02BI5TdI1YNjdMmOfiC1vi9NumvltC5gvei+ 9+vTHDzpAaYVE20OdkhB9Gh7jJwhvxIDFkmRVAg= X-Google-Smtp-Source: ABdhPJxSI8Us0tr10JNMKOzTqd2hrT+p8dIjbtKrJe6S7tSzaW882ENWpXqKEIErdv94mBGxxLR0lwt9Lex5MUZ1Rpw= X-Received: by 2002:a05:6512:10cb:: with SMTP id k11mr24504546lfg.534.1637243614672; Thu, 18 Nov 2021 05:53:34 -0800 (PST) MIME-Version: 1.0 References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> In-Reply-To: Date: Thu, 18 Nov 2021 07:53:22 -0600 Message-ID: To: Nikita Popov Cc: Patrick ALLAERT , "Christoph M. Becker" , PHP internals Content-Type: multipart/alternative; boundary="000000000000103a8305d1107c2e" Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: mweierophinney@gmail.com ("Matthew Weier O'Phinney") --000000000000103a8305d1107c2e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Nov 18, 2021, 7:32 AM Nikita Popov wrote: > On Thu, Nov 18, 2021 at 2:07 PM Patrick ALLAERT > wrote: > > > Le mer. 17 nov. 2021 =C3=A0 13:30, Christoph M. Becker a > > =C3=A9crit : > > > Right. An alternative might be to let users report security issues t= o > > > the security mailing list, where, if the issue turns out not to be a > > > security issue, the reporter could still be asked to submit a GH issu= e > > > about the bug. In that case it might be useful to add more devs to t= he > > > security mailing list. > > > > I was thinking about the same. Can't we work with security issues with > > mailing list *only*? > > It doesn't feel optimal to keep bugs.php.net active for just security > > ones. > > I miss seeing the motivation for it. > > > > The problem with the security mailing list is that it's ephemeral -- > someone new can't look at past discussions before they were subscribed. > Additionally, it's not possible to make the issue and the whole > conversation around it public after the issue has been fixed. > With Laminas, we use an email alias to allow researchers to report to us. We then post the full report as a security issue on GitHub - it's a feature they rolled out late 2019/early 2020 that restricts visibility to maintainers initially, but allows inviting others to collaborate (we invite the reporter immediately, for instance). It also creates a private branch for collaboration. When the patch has been merged, you can mark the issue public. If the plan is to move to GH anyways, this could solve security reporting. > Regards, > Nikita > --000000000000103a8305d1107c2e--