Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116451
Return-Path: <cmbecker69@gmx.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16033 invoked from network); 18 Nov 2021 13:41:25 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 Nov 2021 13:41:25 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AA349180539;
	Thu, 18 Nov 2021 06:36:50 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,NICE_REPLY_A,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS8560 212.227.0.0/16
X-Spam-Virus: No
X-Envelope-From: <cmbecker69@gmx.de>
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS;
	Thu, 18 Nov 2021 06:36:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1637246208;
	bh=arj0OtWdfQc3iqsXf3XhZ/gRrtKNL1Ph980ghd8OM0I=;
	h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To;
	b=X3018PsoBDE+mDTikMA7PubQPO6/ZLvwLtVWJXossaYpsJBpCr+i3lcLzikecTjfr
	 lGgbuXdgTdx/Gt7winVrsAjiMTyHyrVUoeYaOcFToS6b4A7ZVxYiNVteeL4RK976S3
	 i3Q9UFTSNRx/rq4SSmFHsyOKyJzbx3uwiTh3+AfI=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.2.130] ([79.222.46.182]) by mail.gmx.net (mrgmx005
 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MPGRz-1n2FEY3Qjd-00PZpx; Thu, 18
 Nov 2021 15:36:47 +0100
Message-ID: <eb797afa-5c95-f25b-816e-9c9fee10656a@gmx.de>
Date: Thu, 18 Nov 2021 15:36:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.1
Content-Language: de-DE
To: Nikita Popov <nikita.ppv@gmail.com>,
 Matthew Weier O'Phinney <mweierophinney@gmail.com>
Cc: Patrick ALLAERT <patrickallaert@php.net>,
 PHP internals <internals@lists.php.net>
References: <CAF+90c90pTtjxuMaQ88h+njhByfbv4qs=xx72CVPSw40tde6Cg@mail.gmail.com>
 <dde40b06-93c4-cb5b-0abf-48dfd8781fdf@telia.com>
 <CAF+90c_=GhEy0pX5wp9Hcj5+D31tjhhKBCSDCs4ofAoZj00_fA@mail.gmail.com>
 <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de>
 <CACwt+JeLADQC6QvFt4m1gZCZ+oEeQnhSun-37T39bAR1N-uBjQ@mail.gmail.com>
 <CAF+90c9_u2BgDKywLMCfx9C3mFz-a-XZFeMe8NCvk8w4Fr1R0Q@mail.gmail.com>
 <CAJp_myWdQze1_WuL9ddDoi+1UTLUNz+9nU5_7hiKGG_-QhVqjg@mail.gmail.com>
 <CAF+90c_gpBbOEriHu0Gf-GFC16Fu4mpV90XaVgqBOzfQMCCoOw@mail.gmail.com>
In-Reply-To: <CAF+90c_gpBbOEriHu0Gf-GFC16Fu4mpV90XaVgqBOzfQMCCoOw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:E0c8GRmvguuN/canSzQ+Jc8OmLbJLHKl8fqXAnxK3RFU0nQRnr/
 x+f5+OfgdKj9n+0M0BQK4NeINPRd2xKtIHOgjULOoGkjPEXA0kOBskFO/FcPwRnFbXft0ko
 59tpD+NsYXRUySPtwnn4egZrjDzWpsQNli04N8NMy+OTKuTqM8CMRarYLNHkjbU8V8eZN5U
 KY/OWFtCU3Ow29xZvP8FA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:y1W18oameBA=:4kAU3/W57HxJ0CnRd0p38G
 SixZCim5IGbLceevy0kLl7P/HQs9u66kaon7rT9s+N9pY6VlpgkDqZNRWuR8v6B+hxpki1AlD
 L5Xqsfb0Lo33zaesxNs1T771AAX+qJRDWR8aeFWxxFm8iibT2dcGgITj2SoiVnXaJsBxrjZgL
 HKZAzXC1apJOXv3ivOppE9uKX1zruY71G4BDa2vbBlHUMj6f7BvMu3IPa51SO0h/Gk4Z6Ukm9
 b28A/rn6uX8EX92JNo3K9w4W3VfT+KdIdu3bK5jQE2O4qWkADhjCIY3t4Bc8FzoPRlD+8wQ4x
 heQq/PCTWqxKwEGHissGbVU5V9owSAiIoJNiB7b4Pf4dsA/6xzuA+Hkxe3IWdp5JgUUyKDGXw
 h7P3xBre08/Ye99zOXl+Q48VGPzb7qTJnccZRG6IiH2cn7M671nF5uV+wimtTq2dHIAdAyYiy
 WGLloPvFhuSZadZ2ybJpMgF/sbVusYolWjYBtxUNCE1C3IS53zLCFVXRg6M3aO82exC4QVY7z
 6UCPA81PmV9QiBtpy0REFHlWonFztyJInGy84xyCZu6Qvpz5hik4xAAETpfRqAfpgLuJ5SN8x
 2YtWLatzIRhQutK+tAj6j9Z4WUxLgBaPWLKsyFy2fcSeZAivdDFT7GwkUlgNsEY6pGzkOLbzR
 0Vq+zehBi5SrCfCMLlI3b1bcY3OsVK/O0wH7gI5DHLY5MeBkRg5S27rt68sTbCVGdII5jUIZE
 EzN6V9yWAxQ1AwT97nOq3pDP1T6rf6oXSrFgvXBTQArrT9JEFST93hswJObHTfwB1ACwZTLRh
 O9KjHUYByzBj2NWdi2rPB59cogC92u6kRDG5KTtr2qlBvXBMb+ivpeCfI5WvjgiWpt0wDd0Rb
 Ld68dOBC5GONEzAANOWGmCT/dAifsltn7CYtifNJPNGGuhKthZ6MCzDN3I2ykyBIe4OwjrsQD
 K1L1OjOuLGmH654vandSgj6lToJm40+DUygV2R+2zvYmyaySvMWjhEulTX+qCeXI5suCLtb6a
 s8e4j611H3lQS8QFVjDIyKN9a3xzb/Sqn0Z7KMWctxj2XqRKlMOOcI1P61veSW+V3ePyCIkGi
 J3U3Bbtg94jiLo=
Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues
From: cmbecker69@gmx.de ("Christoph M. Becker")

On 18.11.2021 at 15:19, Nikita Popov wrote:

> On Thu, Nov 18, 2021 at 2:53 PM Matthew Weier O'Phinney <
> mweierophinney@gmail.com> wrote:
>
>> With Laminas, we use an email alias to allow researchers to report to u=
s.
>> We then post the full report as a security issue on GitHub - it's a fea=
ture
>> they rolled out late 2019/early 2020 that restricts visibility to
>> maintainers initially, but allows inviting others to collaborate (we in=
vite
>> the reporter immediately, for instance). It also creates a private bran=
ch
>> for collaboration. When the patch has been merged, you can mark the iss=
ue
>> public.
>
> Thanks for the suggestion! That does sound generally viable to me. Just =
to
> clarify, this is not making use of issues, but rather of "advisories",
> which GH implements as an independent feature.
>
> I'm not involved in security response, so I can't say whether the securi=
ty
> group would want to adopt such a process. This is probably something tha=
t
> should be decided among the people who handle security issues, rather th=
an
> here.

Yeah, I suggest to decouple the security reporting issue from this RFC.
 That can and should be decided by other people, and wouldn't need an
RFC, in my opinion.

Just a quick note here, that the handling of security reports is rather
suboptimal on bugsnet.  Patches need to be shared via secrets Gists (or
similar) since even the reporter can't access attached patches.

=2D-
Christoph M. Becker