Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116450 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 12622 invoked from network); 18 Nov 2021 13:24:07 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Nov 2021 13:24:07 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D25E0180541 for ; Thu, 18 Nov 2021 06:19:34 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 18 Nov 2021 06:19:34 -0800 (PST) Received: by mail-ed1-f48.google.com with SMTP id t5so28010212edd.0 for ; Thu, 18 Nov 2021 06:19:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/IvPtlPTiY6y/Jv4/kRCpfesfpe5Y+aNU6nGG2V83k8=; b=LztPSKIZKHbkel7vD0aC6/tfPDtWgUVozR9W8bc3N/xAbb3OuADRNk3awLgT3Dcey6 H5CLkyysPfCyMGriEgLsqqX10sdI/lGd/yccXmxHHp178pNf/xRU9vebxpEmRCyXu6Mu 7R+Yyt1n+Fttg84US30LKEgIwQuNsek4hf3WBt6Qe1ukyeo+sLyrk0kiZnP3LzbtT4xi RCeRrj4edVes06+8nTjQmMpe+2hNDfZHJIKMsq+gOsU4BbPNgC6AWHb1N/bT15c24Dvk mLj9KhTvKzUo661YKgP1uxRprkXt870osNtktR2fmRAAxFIjUkWDN+xDPzEGcvkFzwdO j3+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/IvPtlPTiY6y/Jv4/kRCpfesfpe5Y+aNU6nGG2V83k8=; b=mnQuLLiAlB2xunuWMTvOwV+ZLu7Xsuud1xdRYg5bXNyCdPJlLSdH/zo6TK2yd8Qwr4 aXLLgNlZDNIrkGmuc8VPnvO2X/ACmkSj7t0+ctbV/u/Sm3Ak5J0n/wJANrqMMuta1gzA k/C8kpb4i+Lj62D6Ei7mof+Zu56vnb25q36LX0DRWEYLOD1GXFdTLCPMwUtb6mSpCatY OmOTlvYybOXcggELrc2Xs5UnzHjsmRV/61M2Gu1DZGVDJFTeEsv8SEh0oeMv+VSbQXUW WX2htQF6mfAL1y4tBJHriWcQR357hg3jga9ac1KG3R4LaUVNhA1VXyH9zyWgBoZWnQ3W auvQ== X-Gm-Message-State: AOAM532gvD1X+jFjP8i0V70jTucn4SVegq96ZvCKXWHnRGcEJ+U0p+xh Ic06ikipuMhmrqcttLzZIs9zxSVET+zSlLb6tMg= X-Google-Smtp-Source: ABdhPJyOaYebonhVoBDpDn+eMDLTxzHSLoEWjjPhlMgsfLyfabq0VYeG59ZGqbizhT66exSD2rBIEDhtZXmncIeNQfY= X-Received: by 2002:a05:6402:270d:: with SMTP id y13mr12178259edd.362.1637245173013; Thu, 18 Nov 2021 06:19:33 -0800 (PST) MIME-Version: 1.0 References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> In-Reply-To: Date: Thu, 18 Nov 2021 15:19:16 +0100 Message-ID: To: "Matthew Weier O'Phinney" Cc: Patrick ALLAERT , "Christoph M. Becker" , PHP internals Content-Type: multipart/alternative; boundary="000000000000f29e2305d110d8fc" Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: nikita.ppv@gmail.com (Nikita Popov) --000000000000f29e2305d110d8fc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Nov 18, 2021 at 2:53 PM Matthew Weier O'Phinney < mweierophinney@gmail.com> wrote: > > > On Thu, Nov 18, 2021, 7:32 AM Nikita Popov wrote: > >> On Thu, Nov 18, 2021 at 2:07 PM Patrick ALLAERT >> wrote: >> >> > Le mer. 17 nov. 2021 =C3=A0 13:30, Christoph M. Becker a >> > =C3=A9crit : >> > > Right. An alternative might be to let users report security issues = to >> > > the security mailing list, where, if the issue turns out not to be a >> > > security issue, the reporter could still be asked to submit a GH iss= ue >> > > about the bug. In that case it might be useful to add more devs to >> the >> > > security mailing list. >> > >> > I was thinking about the same. Can't we work with security issues with >> > mailing list *only*? >> > It doesn't feel optimal to keep bugs.php.net active for just security >> > ones. >> > I miss seeing the motivation for it. >> > >> >> The problem with the security mailing list is that it's ephemeral -- >> someone new can't look at past discussions before they were subscribed. >> Additionally, it's not possible to make the issue and the whole >> conversation around it public after the issue has been fixed. >> > > With Laminas, we use an email alias to allow researchers to report to us. > We then post the full report as a security issue on GitHub - it's a featu= re > they rolled out late 2019/early 2020 that restricts visibility to > maintainers initially, but allows inviting others to collaborate (we invi= te > the reporter immediately, for instance). It also creates a private branch > for collaboration. When the patch has been merged, you can mark the issue > public. > Thanks for the suggestion! That does sound generally viable to me. Just to clarify, this is not making use of issues, but rather of "advisories", which GH implements as an independent feature. I'm not involved in security response, so I can't say whether the security group would want to adopt such a process. This is probably something that should be decided among the people who handle security issues, rather than here. Regards, Nikita --000000000000f29e2305d110d8fc--