Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120671
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28472 invoked from network); 24 Jun 2023 19:39:57 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2023 19:39:57 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 72AB2180209
	for <internals@lists.php.net>; Sat, 24 Jun 2023 12:39:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 24 Jun 2023 12:39:52 -0700 (PDT)
Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-98e2865e2f2so4027766b.0
        for <internals@lists.php.net>; Sat, 24 Jun 2023 12:39:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1687635591; x=1690227591;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mpX6M2XkB6jWMNhOgJqXp5TaCNQa6DolBXyRPtgBrj0=;
        b=frDAlhZzLimxJNDW9ToJmoiGB2ZRQAe0BmyhzGdAfF7HM6zf6mZW4VVEm/g0pbwqSP
         MTqerVC+JFEZmlU+NjVleFDxKM2aNYP8IBaNYLjJ78F5e9jErcgggRQID9Xoz6MP2oCE
         pBAaMGihAt4A4SI5t/CU720YFMXP27vaZN6ZWQmrJMQCrMr7mxdeZEmUrFg9TW734aY0
         X9SVdk8RDiFs1FCql6Pg5YwFgr22Q4UsXW7S97uyNSC/RVefnHynTsdyfTpd6EISlTlj
         QdU3QcZr7Jjb/ZruktYMeeYlB43TIETR0tR1XwHYxeiFnAFAdJVhh7CNROa0rtjx5YqZ
         ae+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687635591; x=1690227591;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=mpX6M2XkB6jWMNhOgJqXp5TaCNQa6DolBXyRPtgBrj0=;
        b=cPSfK4gQscDnkWh7zMwCWiiiF+I5y0NF/BkRV7sJbzC40OP6sVBnj+th6/wfnfEvkx
         4mnqoZLO8b6I4HKMc5WKhk0gnGmD62sB+3RQxWru3O8+tu6S+G5CjC0cXrdusmStgqtM
         vG/uQuUOdC84cTtzo74nJN5gPBkV15okvv7tHc8oTiYvjGU/JVfrR4ydf3to69NmWiGc
         7HhCKhZ2NnHlOs/wdCJyt93mZ2qBBkls5zY3PmwWRI44S29JPlEbmWWjtbd7DpztzxWg
         0SZkI3EmXA/etP3e40mRzBaUONBkRei6SjcA1WtxbkASJRa5AcSrizxQauNeoADbX8RE
         sD2A==
X-Gm-Message-State: AC+VfDyl5k8/rut6J2YRpJX/JY1/GrPYQwewlnIIAy9fu7qw9UlDFUVO
	l+zwFroLCWv93Ky8mOn9SjQ=
X-Google-Smtp-Source: ACHHUZ4wpe0XvRCoCoTR3sbiJXXsNJwDowepNFQJLvKv/UidTrKzMBrShfI80ENCGioowH0Rm3hXMg==
X-Received: by 2002:a17:906:74da:b0:974:5480:6270 with SMTP id z26-20020a17090674da00b0097454806270mr17827884ejl.0.1687635591176;
        Sat, 24 Jun 2023 12:39:51 -0700 (PDT)
Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com. [66.111.4.228])
        by smtp.gmail.com with ESMTPSA id n19-20020a170906841300b00988d0ad4477sm1210625ejx.29.2023.06.24.12.39.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 24 Jun 2023 12:39:50 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailauth.nyi.internal (Postfix) with ESMTP id 12FEA27C0054;
	Sat, 24 Jun 2023 15:39:48 -0400 (EDT)
Received: from imap48 ([10.202.2.98])
  by compute2.internal (MEProxy); Sat, 24 Jun 2023 15:39:49 -0400
X-ME-Sender: <xms:hEaXZL3ccrMO1PXrhz9o4ivXqIXJNTNNtqBtnukvxzI6m12KhPG_GQ>
    <xme:hEaXZKHma0a3tcKU_ub9j-UekUbNTB0NZcsBVEhLBrOJsPvRL565SGktjQCdwVkzZ
    6o6lkHe8ssL5ldu3Ic>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgeegjedgudefkecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
    enucfjughrpefofgggkfgjfhffhffvvefutgesrgdtreerreertdenucfhrhhomhepfdfp
    ihhkihhtrgcurfhophhovhdfuceonhhikhhithgrrdhpphhvsehgmhgrihhlrdgtohhmqe
    enucggtffrrghtthgvrhhnpefhffegleefiedvhfejheeuvdeltddttdehieeivddtgeel
    udduffeiudffkedtfeenucffohhmrghinhepghhithhhuhgsrdgslhhoghdpphhhphdrnh
    gvthdpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
    pehmrghilhhfrhhomhepmhgrihhlodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhith
    ihqddufedufeeludekheeiqddvheekvdegheeikedqnhhikhhithgrrdhpphhvpeepghhm
    rghilhdrtghomhesnhhpohhpohhvrdgtohhm
X-ME-Proxy: <xmx:hEaXZL4w8h6o6Eudr7HxWmsbtSkoPQqheg0W6Xntu5BwBDC549TLQg>
    <xmx:hEaXZA3h9LzFM7CqsJfsQ5-Q6GmHezTiOiJ9iVMFp0HFtIiluYUIlA>
    <xmx:hEaXZOFEtXArsWUgmKRiY1Ry6_R8ArbR4ys3Yog3eQZJf9rHvymwPg>
    <xmx:hEaXZAMhkChB6sWpbD3OARSIQIjFrI9s_8vixxkXFkW4Go7B4uypUA>
Feedback-ID: id4a9467a:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 368F931A0063; Sat, 24 Jun 2023 15:39:48 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-499-gf27bbf33e2-fm-20230619.001-gf27bbf33
Mime-Version: 1.0
Message-ID: <c6e3ebd5-7948-4f7d-89e5-2ddfd7c7da7c@app.fastmail.com>
In-Reply-To: <ccee0a69-9e60-512a-e9fd-3d1f7d41f143@gmx.de>
References: 
 <CAF+90c90pTtjxuMaQ88h+njhByfbv4qs=xx72CVPSw40tde6Cg@mail.gmail.com>
 <dde40b06-93c4-cb5b-0abf-48dfd8781fdf@telia.com>
 <CAF+90c_=GhEy0pX5wp9Hcj5+D31tjhhKBCSDCs4ofAoZj00_fA@mail.gmail.com>
 <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de>
 <CACwt+JeLADQC6QvFt4m1gZCZ+oEeQnhSun-37T39bAR1N-uBjQ@mail.gmail.com>
 <CAF+90c9_u2BgDKywLMCfx9C3mFz-a-XZFeMe8NCvk8w4Fr1R0Q@mail.gmail.com>
 <CAJp_myWdQze1_WuL9ddDoi+1UTLUNz+9nU5_7hiKGG_-QhVqjg@mail.gmail.com>
 <d68fc8c9-4e5e-2bd7-6e02-e5afe1fc4c10@gmail.com>
 <CAF+90c-Lbtav0dhAuPi0g2hox2MgNNRNagzxusBSoWvAAg-2Ow@mail.gmail.com>
 <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de>
 <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com>
 <ccee0a69-9e60-512a-e9fd-3d1f7d41f143@gmx.de>
Date: Sat, 24 Jun 2023 21:39:27 +0200
To: "Christoph M. Becker" <cmbecker69@gmx.de>,
 "Stanislav Malyshev" <smalyshev@gmail.com>,
 "security@php.net" <security@php.net>
Cc: "Levi Morrison" <internals@lists.php.net>
Content-Type: multipart/alternative;
 boundary=ac19c87be033403d83e11ac97eb1b0e8
Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues
From: nikita.ppv@gmail.com ("Nikita Popov")

--ac19c87be033403d83e11ac97eb1b0e8
Content-Type: text/plain

On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote:
> On 30.12.2022 at 22:12, Nikita Popov wrote:
> 
> > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote:
> >
> >> On 09.11.2022 at 23:27, Nikita Popov wrote:
> >>
> >>> It looks like GitHub has just added support for private security reports:
> >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/
> >>>
> >>> I haven't looked into the details, but it probably makes sense to enable
> >>> those on php-src and make this our official venue for security bug reports.
> >>> This would allow retiring the last remaining use of bugs.php.net (well,
> >>> apart from the archive of old issues, which should of course remain).
> >>
> >> I agree, but maybe the security team is in favor of sticking with
> >> bugs.php.net.
> >
> > I noticed that the php-src repo does enable private vulnerability reports now, and there is one sitting around without response at https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv.
> >
> > Possibly this was enabled unintentionally / without coordination with the security team? That should probably either be disabled again, or someone needs to keep an eye on it.
> 
> I had enabled that some weeks ago, since there has been a spam attack on
> bugsnet, so we could test the new feature.  I probably should have
> written to list right away, or at least have kept an eye on it, but I've
> assumed to be notified about reported issues.
> 
> I'll have a closer look at the rather verbose report tomorrow, if nobody
> beats me to it.
> 
> Generally, I'm in favor of keeping security reports on Github enabled;
> we should stop user (not developer) comments on bugsnet as soon as
> possible; there is already more spam than useful comments for quite a
> while, and I think Github offers better feature to handle that.
> 
> Regarding the access rights on security advisories: currently only php
> owners[1] may see and collaborate there.  To my knowledge, most of those
> who are subscribed to the security mailing list are already in that
> group, but if need be, others might be added, or maybe it's preferable
> to create a new team for this.
> 
> Thoughts?

Security bug reports on GitHub have been active for a while now, with about 10 reports having been processed.

I wanted to check back whether security folks are happy with the process, and whether it is time to make this the official channel for security reports, which would allow us to disable issue creation on bugs.php.net entirely. (I saw that the reports are 90% spam at this point.)

Regards,
Nikita

--ac19c87be033403d83e11ac97eb1b0e8--