Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116466 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 19430 invoked from network); 19 Nov 2021 19:47:54 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Nov 2021 19:47:54 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6C61B1804BC for ; Fri, 19 Nov 2021 12:43:40 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 19 Nov 2021 12:43:40 -0800 (PST) Received: by mail-pf1-f170.google.com with SMTP id n26so10326337pff.3 for ; Fri, 19 Nov 2021 12:43:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=rlZZ1QesOpd8aHfBHpg6VVaWW/icvH3FUerDvPnk7w4=; b=kr0Ps+g9pb8a42YxUyr1N2yGSMsf3bzN6p+3+Rkc4yYwtIcI1h0HqC7G6FotqLqviu JZTperW3lAK4zIWpIC1CyRumjPIApmbFI+Aa9Eaqs+volHwLGOEQq+phgQBg01NYgLds J/w5EK1qsB0DCCQ3WxW3C0bgXC/Pvh9V1f3gpcGrbXf6ORcDAPXdwYpy6TnadH236uqM suE1MuItfAYGAuJrcj0j5GBG9XEnvPKOxXvVckfDd08uA4YhKXDbFAq2zrz+nYluoI0A K/Xest7Yx6B9vzqp87QvnwZ+t0amplVkb08QJEzRx2qcTLOGBjZ9X01nT+F5vdUItBu1 wKyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=rlZZ1QesOpd8aHfBHpg6VVaWW/icvH3FUerDvPnk7w4=; b=DFJLO5sZNoY302ggRhcSh54hwlXmLbo8qNWBRrEPofMqYzqU2gnahG3Mb/R66fXmfh YYbQBYm/pnAFtlD6a73DZNq8JrPlAvDuONO7LsW6ZzKtTHxab7za2I+g6a3qzc7JCHEA 74uXTW4lgctiaP8s3oF0OLzXiHognsPydY1LMTgEAAEkh4ukX6kaJsXaF2vtE3duVqzR tyYkXpxPcQ5ge77qaiq+CigMLsRoLdtwDqLliopyevI7ODU3kak+ZVbs6lhSx0vKPhKY lhzlR8mLRco8E/jHq49q0wWMlZqKLA4KRz+YZddbYKEpW9URNSkeeC/CiYMd0q25QY1V YFbw== X-Gm-Message-State: AOAM53332O4Hg4GqvhVSgj5wN7XFVorAJRrwOqvlgDw2bnuNGVOGwyYN z8ANscdm3mMM8uPPcbGlgLzipIrQV5lg X-Google-Smtp-Source: ABdhPJyk//10BPommIEviBtnFNA5BLaKgNM1ya+eepQRZQcjVy5pD3BSq3oPvWvMJ4CMQoUzEhhGJA== X-Received: by 2002:a05:6a00:1a8d:b0:49f:de63:d9c0 with SMTP id e13-20020a056a001a8d00b0049fde63d9c0mr65638453pfv.79.1637354618834; Fri, 19 Nov 2021 12:43:38 -0800 (PST) Received: from [10.230.0.28] (ec2-44-226-30-91.us-west-2.compute.amazonaws.com. [44.226.30.91]) by smtp.gmail.com with ESMTPSA id a12sm420605pgg.28.2021.11.19.12.43.38 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 19 Nov 2021 12:43:38 -0800 (PST) Message-ID: Date: Fri, 19 Nov 2021 13:43:37 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.2.1 Content-Language: en-US To: internals@lists.php.net References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > With Laminas, we use an email alias to allow researchers to report to us. > We then post the full report as a security issue on GitHub - it's a feature > they rolled out late 2019/early 2020 that restricts visibility to > maintainers initially, but allows inviting others to collaborate (we invite > the reporter immediately, for instance). It also creates a private branch > for collaboration. When the patch has been merged, you can mark the issue > public. > > If the plan is to move to GH anyways, this could solve security reporting. Not familiar with it, but on the initial look it seems it could work, with one caveat. We have a ton of reports which aren't security issues and some which need to be discussed before we are sure which one is that. We could do it on the list, of course, but that creates the same dangers as mentioned before - too easy to lose info in an un-archived ML. -- Stas Malyshev smalyshev@gmail.com