Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119219 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 27854 invoked from network); 30 Dec 2022 21:39:46 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 30 Dec 2022 21:39:46 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A007F1804F2; Fri, 30 Dec 2022 13:39:42 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS; Fri, 30 Dec 2022 13:39:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1672436379; bh=ywnGWRpkQ/3in7vj/5I8GCe4jz2rjrT0Kx8o9vQ4HqY=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=D3KRKAOUsK4XgF+fSflli6vTyBlQOWEy/I1sd4+QbToyUVdamMJDEHZq5OL50DQy2 eUPfHDti2dsdWFEX6moEGOhIu5ug/wFyKzxzvXMmIMYXVnH06HPTz2bxR3mFbZ8Dio OKjgrTs5xn3VO1tmxAWv1INPhYm6CVaWtigsoSewQzl7JqvzPLX92OcyiilJQgZV43 To4i+F5i8gBqWFR/6iZGlRPLBz/HW6f5H7YjEFbwiiWEUmJjFW0S6iawIXjWRxM8E5 iW1bczOghxiWQr/j2pdWAljgRez/p+QkZwUV8eDGym9NMmwST7fRDAVrcT37xRxsHu VBNdAVd6z4AmA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.2.130] ([79.220.80.221]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mof9F-1oVRi62Bq5-00p6Vw; Fri, 30 Dec 2022 22:39:39 +0100 Message-ID: Date: Fri, 30 Dec 2022 22:39:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 To: Nikita Popov , "Christoph M. Becker" , Stanislav Malyshev , "security@php.net" Cc: internals@lists.php.net References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de> <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com> In-Reply-To: <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:uEv+Qu/iKf/Y753gb0LsYVjVvuxX26yjzjx/Tp2SPZmGg4MaQRq NKNmXqmFszgJF82JPagpSLHs/Euu0Bsu9oDc8/hH52kppgo67m9KPE6Uab2fwv5Z5sd2TCV Hm/iUnfzbgSibDiCfOOK2P+hviFkbCtCSwhPbzl1gNWaIrtXcd0/Jwc7B7KIYmcq/L2yyi5 E1FlKpK84zeknUa1zP0Gw== UI-OutboundReport: notjunk:1;M01:P0:evpI5y2xz/Q=;/uJLWD7eb6AgSkm3Od7xGmBKrWX or5CoF3O9LPcxbB8F5CqF5oJVN4iLNESvRDKl6CjNJtGgSi/xxAgPzbmHc6xpTvuDXt/FFGml r98+rl8X/+kMMtv/Zk0bx11vohtWq8/jqFBudwDlCU5usgQ0zHJTQlDnVJ83PlfpXXqDZQ7en HZd4GwlPblwr7gw/uYfB5MA6TGD3Q13NUqF7i/ad61OYbAXrVyrmUAZSKFabU1MdxxI7CBvWp PLxjOm6NGyUxhyhQU/eDowKvqg3kDWe5b9uhg+uEzRSC74/OnXJbrkx9HLFx4yRaXvDQF41hi cT02mXDiwoW2S9igMs+Py7DJ0MckEssiP4Jt4Jj5ZBU7eDpSb5YP92qUNOF7m+52VH/OVqNh7 ahatPDx2i1RI8rXZ1x0mYZm7b5OexUzpLw2meWjjlHIU220gu/Q13dbp7ud58ZW2eUbEhayfe TYJQg/8Qg9S0RtzownV6BrdC8wY3WVFu6Q1QKjtRQTP3heX48gwLZ+z+WGg1StpFJAvKeBZlz E/F6dEsuRXr4cEPLyPCGWYgc53feAp+jlDDvo8t621PYgviPk6RmU+BPk9bqbzQz4KxmKP+pm vbhck2lKJHcs1rgiC3ZLVmJdgWCLtwP84H1VfNQxmw1b5SFs2t/V9QuRxu3Sv2JkNOAxiOPIL tLJDbkOCG0+aAxi2pP6V6HD9/SZtGe6Vi1zdPL1hnWfiVFX+17gsrEfYyCo+rDe3qJGF1VNtA o2XreKv0dy7U6esWP9eS9sV0B/ZfaIvL0lcvJw6gZHTx7wsJCNHxB+5P6gR5Fsn52761dVkKH /tUIXBkSfmDKR5Dx89nDDLqFja7XWuWbXqSGJ64/ITvlt6D9LIgM2mCoGPZon/WDRXIQAzPQU jjWuDg75PiMwnqyVCBjzkclgkgrKj72NeeLwvH1HTxRHrl9lNLjH8hft0k8oIDCpTk72dhS1I vMkp4Q== Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: cmbecker69@gmx.de ("Christoph M. Becker") On 30.12.2022 at 22:12, Nikita Popov wrote: > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: > >> On 09.11.2022 at 23:27, Nikita Popov wrote: >> >>> It looks like GitHub has just added support for private security repor= ts: >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilit= ies-to-repository-maintainers/ >>> >>> I haven't looked into the details, but it probably makes sense to enab= le >>> those on php-src and make this our official venue for security bug rep= orts. >>> This would allow retiring the last remaining use of bugs.php.net (well= , >>> apart from the archive of old issues, which should of course remain). >> >> I agree, but maybe the security team is in favor of sticking with >> bugs.php.net. > > I noticed that the php-src repo does enable private vulnerability report= s now, and there is one sitting around without response at https://github.= com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. > > Possibly this was enabled unintentionally / without coordination with th= e security team? That should probably either be disabled again, or someone= needs to keep an eye on it. I had enabled that some weeks ago, since there has been a spam attack on bugsnet, so we could test the new feature. I probably should have written to list right away, or at least have kept an eye on it, but I've assumed to be notified about reported issues. I'll have a closer look at the rather verbose report tomorrow, if nobody beats me to it. Generally, I'm in favor of keeping security reports on Github enabled; we should stop user (not developer) comments on bugsnet as soon as possible; there is already more spam than useful comments for quite a while, and I think Github offers better feature to handle that. Regarding the access rights on security advisories: currently only php owners[1] may see and collaborate there. To my knowledge, most of those who are subscribed to the security mailing list are already in that group, but if need be, others might be added, or maybe it's preferable to create a new team for this. Thoughts? [1] =2D- Christoph M. Becker