Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118989
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89683 invoked from network); 9 Nov 2022 22:27:52 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 9 Nov 2022 22:27:52 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 138861804AC
	for <internals@lists.php.net>; Wed,  9 Nov 2022 14:27:52 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FREEMAIL_REPLY,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  9 Nov 2022 14:27:51 -0800 (PST)
Received: by mail-vs1-f41.google.com with SMTP id q127so18409627vsa.7
        for <internals@lists.php.net>; Wed, 09 Nov 2022 14:27:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=WgfT2+ygCKo/czZzchFWUDxBzjOumXRcQDU6Y5uGTMU=;
        b=fJtjcQWPBatMcyN6cu1WFulddiUyHNofRfmu+FwN9UM7PVxGwoz4B5NOTwbYL+ZxDp
         CZKjG7WIn3Xzdl/RcG/2Lug+YuGSlNTXuLSbDIpcWHm1yMnwbKNuaMFQZJ1PikARFXHM
         e20o1CaYyJvi3QYgG9jJ+Yb/5f+z9/enXVzXtLPPWt2VVRQ9Uln4dVXSLxCUCPxqiLf3
         uRURofj8WK7qg7mnI8M7tpTrzsMJjNtImNy0CCY8Tnb3p7DfinW/GRCuNvj4PcEtxo6O
         5eatrIdPQ3C7VKK5o9DzYKiwM24Pd0TxtEV/HC0sHxOGJBX0kKOOvj2ovSdoHnvM8QV3
         2tZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=WgfT2+ygCKo/czZzchFWUDxBzjOumXRcQDU6Y5uGTMU=;
        b=UNV3GhA/A09/uAanWUM0s5A89fIjwxiRfnDgEntbvGqr7enmo2soVBTEIT99YFF8C3
         QeXQV2cu8zAfIF6jtCqvfvFZxdzquqfRF4O3GvXLTLokfGY/s6B1wTXxHw2eAGSdUJyi
         9Yo05aHuWw7GYEBtb9NJtngBQF6bf11+Rv9Y3tNhXyFJyISF3Qi0p2FnmpuNvQSkHkLP
         nJnVaK+TxaXcpgRVzzwpFgD30YN/WD1E5+ha8kmGMYvql6nIYCn+oIDPb96MadkPVVL1
         Jy2Z9+KmcLYVuxyWmEYxD6pOziLq4EPTwS+3TfqU1Eiu/FRVg8pV6ws2I+Lyn1YhB/6G
         nhTw==
X-Gm-Message-State: ACrzQf3IoN5qaOeAjejjMbZ0R5GlodV1LbpvKZ23liCPo8Jm4+iZvMPL
	6OJ9rguGn2Ige24BmNx7Y920iWkfT86a42CMVdMU6OHnE9k=
X-Google-Smtp-Source: AMsMyM6EHAFMY0YijTafZxwzeyGKnGrV3/zDzhsApWRP/5RWxZm3AGrPXGzSyDmTc2B4ceriYYa1b/u+mQadtC4soWc=
X-Received: by 2002:a05:6102:729:b0:3aa:19ca:b89c with SMTP id
 u9-20020a056102072900b003aa19cab89cmr1840216vsg.35.1668032870638; Wed, 09 Nov
 2022 14:27:50 -0800 (PST)
MIME-Version: 1.0
References: <CAF+90c90pTtjxuMaQ88h+njhByfbv4qs=xx72CVPSw40tde6Cg@mail.gmail.com>
 <dde40b06-93c4-cb5b-0abf-48dfd8781fdf@telia.com> <CAF+90c_=GhEy0pX5wp9Hcj5+D31tjhhKBCSDCs4ofAoZj00_fA@mail.gmail.com>
 <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> <CACwt+JeLADQC6QvFt4m1gZCZ+oEeQnhSun-37T39bAR1N-uBjQ@mail.gmail.com>
 <CAF+90c9_u2BgDKywLMCfx9C3mFz-a-XZFeMe8NCvk8w4Fr1R0Q@mail.gmail.com>
 <CAJp_myWdQze1_WuL9ddDoi+1UTLUNz+9nU5_7hiKGG_-QhVqjg@mail.gmail.com> <d68fc8c9-4e5e-2bd7-6e02-e5afe1fc4c10@gmail.com>
In-Reply-To: <d68fc8c9-4e5e-2bd7-6e02-e5afe1fc4c10@gmail.com>
Date: Wed, 9 Nov 2022 23:27:33 +0100
Message-ID: <CAF+90c-Lbtav0dhAuPi0g2hox2MgNNRNagzxusBSoWvAAg-2Ow@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000ba694305ed112a75"
Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues
From: nikita.ppv@gmail.com (Nikita Popov)

--000000000000ba694305ed112a75
Content-Type: text/plain; charset="UTF-8"

On Fri, Nov 19, 2021 at 9:44 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
>  > With Laminas, we use an email alias to allow researchers to report to
> us.
>  > We then post the full report as a security issue on GitHub - it's a
> feature
>  > they rolled out late 2019/early 2020 that restricts visibility to
>  > maintainers initially, but allows inviting others to collaborate (we
> invite
>  > the reporter immediately, for instance). It also creates a private
> branch
>  > for collaboration. When the patch has been merged, you can mark the
> issue
>  > public.
>  >
>  > If the plan is to move to GH anyways, this could solve security
> reporting.
>
> Not familiar with it, but on the initial look it seems it could work,
> with one caveat. We have a ton of reports which aren't security issues
> and some which need to be discussed before we are sure which one is that.
>
> We could do it on the list, of course, but that creates the same dangers
> as mentioned before - too easy to lose info in an un-archived ML.
> --
> Stas Malyshev
> smalyshev@gmail.com
>

It looks like GitHub has just added support for private security reports:
https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/

I haven't looked into the details, but it probably makes sense to enable
those on php-src and make this our official venue for security bug reports.
This would allow retiring the last remaining use of bugs.php.net (well,
apart from the archive of old issues, which should of course remain).

Regards,
Nikita

--000000000000ba694305ed112a75--