Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119218
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25190 invoked from network); 30 Dec 2022 21:13:34 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 30 Dec 2022 21:13:34 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 03600180504
	for <internals@lists.php.net>; Fri, 30 Dec 2022 13:13:33 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 30 Dec 2022 13:13:33 -0800 (PST)
Received: by mail-qv1-f50.google.com with SMTP id u2so1723246qvo.12
        for <internals@lists.php.net>; Fri, 30 Dec 2022 13:13:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aSgK6SXttvm8PPRQxAGuA8lXqLOV/gN9rhwm24OETH0=;
        b=OtgaBYZL63KRGvrMArsq4LOfDfX1WBo2qDKrKP1cxQLd2J6/qiJgZPsH+mD32njPMX
         DpNrPpcev30il9jJyIxEgYAG83dT10H8H6dm5jWqT7f3tEPFhxiu2NcSvk9nwVQ/5bCl
         xAdrJKT06Id10OAf+abYjnFHpRnsJIIb/XvhR3cTsrvWk14OpPp3ee6K5vhJgpOfTThW
         NpX9hqHeDaytq2/7EaPTHPdh9PuJLLG+xLIeMnPvs/wldjR9p//w6jEgzO+IL1COfBd1
         M4UOPjJAbc3lz1UwNi3Y7uUC9VmBVckVdyYFf6nCqLJqOSe6r9M19Ac+R6/3WVrDez1P
         R+QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aSgK6SXttvm8PPRQxAGuA8lXqLOV/gN9rhwm24OETH0=;
        b=CarNJy678yVW1NzzRl+MRS0cxaNnhG5ATsfzFY4TKoVCwJ7qDR7L1jQAoIxpDD44zm
         PcST+3ykEUbxv8x0O9IXngaQiEQMa82pY4Eko2cbj8bLH0AvZgK2xsD4k1x8hd9v8/c4
         0HFMEiHOtZ/S2qHnCdvWSIdSp/cZBr3if/fWZ/GLmByevddijSE2FUZjGNKBAwTdGF+F
         gZUFvE2E/vGYLck9y0xLAzd6jNtZqRwKmT9p1JM6NHbaFpBWqDT26/G406EYzkgEPEO9
         WQ34e1JQoDYDfPdWVXXbpyA3/kOmEbJvAqQJI3pf0CY5BeK6M18yK9ajFjrYUtTYn6e+
         9uDQ==
X-Gm-Message-State: AFqh2ko0nbATtTlOimWz9BwNfZzTw43FPqBkiQCa0W0UZ0q19Mq4nO8l
	KUZnl97cXgqGkVBlVbQFOMY=
X-Google-Smtp-Source: AMrXdXuseDwlqE5iaFDFJCAua77ZLHgAPB2veo/eDsMKmku2hMWTet15h3+W9V+SiaBOGzn/DDm7Ng==
X-Received: by 2002:ad4:580d:0:b0:4c6:99f3:cdd3 with SMTP id dd13-20020ad4580d000000b004c699f3cdd3mr50235751qvb.41.1672434812652;
        Fri, 30 Dec 2022 13:13:32 -0800 (PST)
Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com. [66.111.4.227])
        by smtp.gmail.com with ESMTPSA id u22-20020a05620a455600b006fb112f512csm15838956qkp.74.2022.12.30.13.13.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Dec 2022 13:13:30 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailauth.nyi.internal (Postfix) with ESMTP id C3FC227C0054;
	Fri, 30 Dec 2022 16:13:29 -0500 (EST)
Received: from imap48 ([10.202.2.98])
  by compute2.internal (MEProxy); Fri, 30 Dec 2022 16:13:29 -0500
X-ME-Sender: <xms:eFSvY8Nw8PrskciBPhUpgCfQHaBPosejKgFkdL5OtBvRNpMYWqEujw>
    <xme:eFSvYy9RaTOXjYeIiAJR19PVh_2lQUMtx3EDqLptHeuSnus6o-_QHZMthrNhSBn0C
    fKZXGYOXjbcbVwU2ps>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrieeigddugeehucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepofgfggfkjghffffhvfevufgtsegrtderreerredtnecuhfhrohhmpedfpfhi
    khhithgrucfrohhpohhvfdcuoehnihhkihhtrgdrphhpvhesghhmrghilhdrtghomheqne
    cuggftrfgrthhtvghrnhephfffgeelfeeivdfhjeehuedvledttddtheeiiedvtdegledu
    udffieduffektdefnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgpdhphhhprdhnvg
    htpdhgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep
    mhgrihhlfhhrohhmpehmrghilhdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthi
    dqudefudefledukeehiedqvdehkedvgeehieekqdhnihhkihhtrgdrphhpvheppehgmhgr
    ihhlrdgtohhmsehnphhophhovhdrtghomh
X-ME-Proxy: <xmx:eFSvYzQjfBOzpn4XKFQoWa4lv2gPJMaRHPfVNDeOYJehqR19zK7Wrw>
    <xmx:eFSvY0shT6TYvAUFNKL56l7XDGWqWopaXmaUqKNyu7cp3x8Ouivcjw>
    <xmx:eFSvY0dTAgXiwxS8MOSckPOIU1l30P3-Naub7eh0uxs4lVikXzf0Jw>
    <xmx:eVSvYwHrDtShXGQiDSMvj22RAVFk3cCrXPBNg9YBIJk6V33YBgMOew>
Feedback-ID: id4a9467a:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id ABF2731A0063; Fri, 30 Dec 2022 16:13:28 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1185-g841157300a-fm-20221208.002-g84115730
Mime-Version: 1.0
Message-ID: <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com>
In-Reply-To: <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de>
References: 
 <CAF+90c90pTtjxuMaQ88h+njhByfbv4qs=xx72CVPSw40tde6Cg@mail.gmail.com>
 <dde40b06-93c4-cb5b-0abf-48dfd8781fdf@telia.com>
 <CAF+90c_=GhEy0pX5wp9Hcj5+D31tjhhKBCSDCs4ofAoZj00_fA@mail.gmail.com>
 <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de>
 <CACwt+JeLADQC6QvFt4m1gZCZ+oEeQnhSun-37T39bAR1N-uBjQ@mail.gmail.com>
 <CAF+90c9_u2BgDKywLMCfx9C3mFz-a-XZFeMe8NCvk8w4Fr1R0Q@mail.gmail.com>
 <CAJp_myWdQze1_WuL9ddDoi+1UTLUNz+9nU5_7hiKGG_-QhVqjg@mail.gmail.com>
 <d68fc8c9-4e5e-2bd7-6e02-e5afe1fc4c10@gmail.com>
 <CAF+90c-Lbtav0dhAuPi0g2hox2MgNNRNagzxusBSoWvAAg-2Ow@mail.gmail.com>
 <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de>
Date: Fri, 30 Dec 2022 22:12:36 +0100
To: "Christoph M. Becker" <cmbecker69@gmx.de>,
 "Stanislav Malyshev" <smalyshev@gmail.com>,
 "security@php.net" <security@php.net>
Cc: internals@lists.php.net
Content-Type: multipart/alternative;
 boundary=7d0d1b8a18f644edab1adc401b8f4d3d
Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues
From: nikita.ppv@gmail.com ("Nikita Popov")

--7d0d1b8a18f644edab1adc401b8f4d3d
Content-Type: text/plain

On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote:
> On 09.11.2022 at 23:27, Nikita Popov wrote:
> 
> > It looks like GitHub has just added support for private security reports:
> > https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/
> >
> > I haven't looked into the details, but it probably makes sense to enable
> > those on php-src and make this our official venue for security bug reports.
> > This would allow retiring the last remaining use of bugs.php.net (well,
> > apart from the archive of old issues, which should of course remain).
> 
> I agree, but maybe the security team is in favor of sticking with
> bugs.php.net.

I noticed that the php-src repo does enable private vulnerability reports now, and there is one sitting around without response at https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv.

Possibly this was enabled unintentionally / without coordination with the security team? That should probably either be disabled again, or someone needs to keep an eye on it.

Regards,
Nikita
--7d0d1b8a18f644edab1adc401b8f4d3d--