Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116449 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 9466 invoked from network); 18 Nov 2021 13:16:20 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Nov 2021 13:16:20 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C39B41804B0; Thu, 18 Nov 2021 06:11:44 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS; Thu, 18 Nov 2021 06:11:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1637244701; bh=EKuE1Gi2W0XmL9+McbLlt2JJHIt2fcza+qK+KAvm3Cg=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=DfudhDq2wJ/RrLVVENTQUQXy7fwrmc7Nr6tI/pspTRylPyreQQpX8CNnaGlJIm9wA Ss4f6rfLiRUXCoJjib7sfqQPx4KLX4lOVWN6uxHZwfTrzLLbcCnxDIggbzmqmvRfJe xvLkVXj2HgKz3URIlaijMclqMgYowc9tAa7h/x8Y= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.130] ([79.222.46.182]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MYeMj-1n9Ncs1pdz-00Vf8B; Thu, 18 Nov 2021 15:11:41 +0100 Message-ID: Date: Thu, 18 Nov 2021 15:11:40 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 Content-Language: de-DE To: Matthew Weier O'Phinney , Nikita Popov Cc: Patrick ALLAERT , "Christoph M. Becker" , PHP internals References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:IoaSN6qSf9gRy0ymBOVCXI6vCtfRHZy5QHz2I4IBwFc4Pmx84u1 opSNhpX9hUlWQt3jZ/Mdzl+hLEnM0/B6kgeTv/ztTPIYrAR4K3OyX5FTGK8RAeEhzl2YfbW 7A2o4CYMnrCdJJy5UcjRyryLC0HtaehTHVtierQno0viF0OwDjmE1Np0x5eW9UrTzZi0N9b EN1vjnPf452s51E0taZVw== X-UI-Out-Filterresults: notjunk:1;V03:K0:YKoU54ZPtTk=:nb7pF8Sh2Lr9tethRJTksE 02FqVbDHohBrVwC+d/wmyTIZWyCSFy15ntS1BYSkG0+Z7InzQ4r78gs8bKs3yRXUs/m5pHj/x My/6GZKsbRgQTJClkF1o4OMZk5OguDI5bdPUakQkQmRbYDIxWhjCnZzC3ly62kspxlGWrFk+F pjWzVCGmrxXDvtZ60eMik8EnWBPV4Z+WMEPd+pBubc5IGukKzC7nSH4lFgLXFT9yQ2idSBL4u PBwk7WKvP39Csq8LPzwLDg6rnS9+xYde7cjAeKScN5wxFV+9E6kseh9K1v9MTWQ7Hks+/uRso cwSFDiYX8+idElP/ArmDqMwT6tHxznDBo1VJ9u4x4iez96zqbDJ2TvLTfN1BpgERt2uNjNSYm /I7WbLikjRJMyuUnWnXbGtOQRYb6WrFnHV5Y8wDEt6hqx/UldLXKxeRmYner6q07qbPQc2q4M tJhrPrletakhqqb+w1DshPUhH/asPMLWusmgI+ZQ9t9/5AijHBCCq/4CsaeClU/92zuJ6tL2X qyqt+exeL9hCZ6ugU52kMDLf4p2jd5Fr4gwqH+kJSaaqrvrJ5oinPlC0Nfuep2rEl2Vn+zWCv oeoKT+QBFaH72RYVOdhqkQV3mDlmUGIbKMBwjOF7VMEXhlvH90x84Gb1m4NAVepJjEoN6yzit 3kULnKV9VvUQb0ALPYkTWFMX4r6nvfCkTIKIbEClfFZgGzEPPtV8zmhMIjbyzdMqw2MsnGEG0 k9mSbfJdeJnEjg7BbAvABCCLHuLUQuBIBYFmi6t3qdYNs3QGZ3J8Gds41ecubsJo9Q7S3Yd66 JVvdWgDIVkC+eOc019bsVhQ0RpMIrPWmuM7NjZj+OrtM0qTTBg8IwrK/r5ZTme2ihpqb3e0QT judVgXvXtV21ZHJi3x2ow60SE8HN3glNq3clk/tsj4jaH8RQMngB0h9Xxendv2zPi7lZ9m/G5 RvIJh+G4rYIo/mfdWHF+UFedAUJepb82lAgKfzj0Sl9OdbMr2DeXm0u/qHcoYWOSHRFCTgaQG W5g52XHWgbeIx399xVZJEbEPY16BvM+rqwwOoIHEzVMlP2y7ksd/PTGjVtz5TdW54L+ZPi1gn 0azBLUp511OpNQ= Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: cmbecker69@gmx.de ("Christoph M. Becker") On 18.11.2021 at 14:53, Matthew Weier O'Phinney wrote: > With Laminas, we use an email alias to allow researchers to report to us= . > We then post the full report as a security issue on GitHub - it's a feat= ure > they rolled out late 2019/early 2020 that restricts visibility to > maintainers initially, but allows inviting others to collaborate (we inv= ite > the reporter immediately, for instance). It also creates a private branc= h > for collaboration. When the patch has been merged, you can mark the issu= e > public. > > If the plan is to move to GH anyways, this could solve security reportin= g. Thanks! I wasn't aware of that feature. More info at . =2D- Christoph M. Becker