Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120672
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30426 invoked from network); 24 Jun 2023 19:55:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2023 19:55:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C759C1804F2
	for <internals@lists.php.net>; Sat, 24 Jun 2023 12:55:35 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <nikita.ppv@gmail.com>
Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 24 Jun 2023 12:55:35 -0700 (PDT)
Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-97ea801b0d0so36023266b.1
        for <internals@lists.php.net>; Sat, 24 Jun 2023 12:55:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1687636534; x=1690228534;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=J9h1Lb7KyWah6RGSLwDDBR8lMNYJoIEzy5CoN0PGgQs=;
        b=VlU6GtUZaRpUH55A9/UyL2dMLhhgWWvvnbHTGp9/RB2R3k+uEyQDVcr/psl6yHfFJa
         4hZJVpsWZaBUDk5aq2ZKM10DvHcTzCh+8Ze4rrm9u5yQc5VGjqJQnoFNFgEXqisN41Hp
         FjWPx5Kg2tB22dMOkuSgVlM9Nwc8ft4YmT3FfIrmXj5Gvhe6GizEUemosCeum8AIdsXe
         dR5QAwsq+i7l+GMTH1JqQln56Ca95M9RScqFjDOpyQTsjrS5MveZsxxWGmc7N78Y2RzH
         j5aDjxB3zARxsa9cfHI4lUKiahH7D9DphA1M7fc9chuoMM2O+gTtacwT4+RF7/Q1MMeY
         /jFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687636534; x=1690228534;
        h=subject:cc:to:from:date:references:in-reply-to:message-id
         :mime-version:user-agent:feedback-id:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=J9h1Lb7KyWah6RGSLwDDBR8lMNYJoIEzy5CoN0PGgQs=;
        b=TntZky4C+X2gRn/Ta4xgLOsM8DVveExW0IVe31n6zGuxvA5RRnMAjU0a0CntKhpX4h
         DE6ZbrwKHqibrRPyiy4iU/RfBpTcaPB+gg9+I67KBUnU28rH8P76/wsyiNiVgmdLVYfp
         QO0Iw83c/HoRqhlGcdeFNxOy1O1Ftgu5M3ZqllT8AuzwvfXx/xoaUF+dUysaxslmM/KJ
         to9wk6LFpySeUvHrwt/TPUHjh6NrySLIDPZYo/hrzmWyjR26GJVBmF3+TPRRyFU/C95y
         yGsaltqzTr9okdR5VHD4H9eL/OUi5p5SetryutJRf/RIOQszVLQCYZih+ZDz73sBtqep
         kgnQ==
X-Gm-Message-State: AC+VfDynZsDHW10vQ/ZwWwc7cLHLKLdMuBsvgYca+ua6JPm0vGfEa4vG
	MM7LL00kzBH03W/1Gclyjr4=
X-Google-Smtp-Source: ACHHUZ6lNBn2JWohJhYSPNAcfINCPREdfUg/FDTBCLUJrhW1+83Jis43LB3kAitbVser+szKrbbYFw==
X-Received: by 2002:a17:906:6493:b0:987:6960:36c5 with SMTP id e19-20020a170906649300b00987696036c5mr16713077ejm.6.1687636533517;
        Sat, 24 Jun 2023 12:55:33 -0700 (PDT)
Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com. [66.111.4.228])
        by smtp.gmail.com with ESMTPSA id k19-20020a1709061c1300b00988b32160dfsm1195688ejg.222.2023.06.24.12.55.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 24 Jun 2023 12:55:33 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailauth.nyi.internal (Postfix) with ESMTP id B425627C0054;
	Sat, 24 Jun 2023 15:55:31 -0400 (EDT)
Received: from imap48 ([10.202.2.98])
  by compute2.internal (MEProxy); Sat, 24 Jun 2023 15:55:31 -0400
X-ME-Sender: <xms:M0qXZIYloejcpr7jBwCtskPx_fDhmpgxYeO1vbTlUmdbNoFjAkQk5g>
    <xme:M0qXZDZ60edapy2YfDR1fqIXYPv0vrsBDjwMtyf_PgFk0T9YU_-ulTCn4V35YamX7
    sJX9drnsS8LuBsUj2g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgeegjedgudegudcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
    enucfjughrpefofgggkfgjfhffhffvvefutgesrgdtreerreertdenucfhrhhomhepfdfp
    ihhkihhtrgcurfhophhovhdfuceonhhikhhithgrrdhpphhvsehgmhgrihhlrdgtohhmqe
    enucggtffrrghtthgvrhhnpefhffegleefiedvhfejheeuvdeltddttdehieeivddtgeel
    udduffeiudffkedtfeenucffohhmrghinhepghhithhhuhgsrdgslhhoghdpphhhphdrnh
    gvthdpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm
    pehmrghilhhfrhhomhepmhgrihhlodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhith
    ihqddufedufeeludekheeiqddvheekvdegheeikedqnhhikhhithgrrdhpphhvpeepghhm
    rghilhdrtghomhesnhhpohhpohhvrdgtohhm
X-ME-Proxy: <xmx:M0qXZC_lJV2yV_nCfiKgEiO9FQJ5tNW0QdQwKkP7uQ7m3C5IZiU7CQ>
    <xmx:M0qXZCo7QgOwEt3lDqPu4eHftbCrkPsPnvmcHfck0zuvv-Gx1YET2A>
    <xmx:M0qXZDqxVhdkTr5oY5148pHUk8k1BDj4ErsFz9IikNZZIuV3W2c85w>
    <xmx:M0qXZMDBsUxFhnU3GLvN19tpWq-gy2Ng-wFypQuEFj-TVdjqalEwyQ>
Feedback-ID: id4a9467a:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 6942B31A0063; Sat, 24 Jun 2023 15:55:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-499-gf27bbf33e2-fm-20230619.001-gf27bbf33
Mime-Version: 1.0
Message-ID: <5564aaa8-6d40-4ae3-9463-123c9df56c95@app.fastmail.com>
In-Reply-To: <c6e3ebd5-7948-4f7d-89e5-2ddfd7c7da7c@app.fastmail.com>
References: 
 <CAF+90c90pTtjxuMaQ88h+njhByfbv4qs=xx72CVPSw40tde6Cg@mail.gmail.com>
 <dde40b06-93c4-cb5b-0abf-48dfd8781fdf@telia.com>
 <CAF+90c_=GhEy0pX5wp9Hcj5+D31tjhhKBCSDCs4ofAoZj00_fA@mail.gmail.com>
 <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de>
 <CACwt+JeLADQC6QvFt4m1gZCZ+oEeQnhSun-37T39bAR1N-uBjQ@mail.gmail.com>
 <CAF+90c9_u2BgDKywLMCfx9C3mFz-a-XZFeMe8NCvk8w4Fr1R0Q@mail.gmail.com>
 <CAJp_myWdQze1_WuL9ddDoi+1UTLUNz+9nU5_7hiKGG_-QhVqjg@mail.gmail.com>
 <d68fc8c9-4e5e-2bd7-6e02-e5afe1fc4c10@gmail.com>
 <CAF+90c-Lbtav0dhAuPi0g2hox2MgNNRNagzxusBSoWvAAg-2Ow@mail.gmail.com>
 <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de>
 <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com>
 <ccee0a69-9e60-512a-e9fd-3d1f7d41f143@gmx.de>
 <c6e3ebd5-7948-4f7d-89e5-2ddfd7c7da7c@app.fastmail.com>
Date: Sat, 24 Jun 2023 21:55:07 +0200
To: "Christoph M. Becker" <cmbecker69@gmx.de>,
 "Stanislav Malyshev" <smalyshev@gmail.com>,
 "security@php.net" <security@php.net>
Cc: "Levi Morrison" <internals@lists.php.net>
Content-Type: multipart/alternative;
 boundary=8ea5f1d40c8e4abcb06a0d535653e683
Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues
From: nikita.ppv@gmail.com ("Nikita Popov")

--8ea5f1d40c8e4abcb06a0d535653e683
Content-Type: text/plain

On Sat, Jun 24, 2023, at 21:39, Nikita Popov wrote:
> On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote:
> > On 30.12.2022 at 22:12, Nikita Popov wrote:
> > 
> > > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote:
> > >
> > >> On 09.11.2022 at 23:27, Nikita Popov wrote:
> > >>
> > >>> It looks like GitHub has just added support for private security reports:
> > >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/
> > >>>
> > >>> I haven't looked into the details, but it probably makes sense to enable
> > >>> those on php-src and make this our official venue for security bug reports.
> > >>> This would allow retiring the last remaining use of bugs.php.net (well,
> > >>> apart from the archive of old issues, which should of course remain).
> > >>
> > >> I agree, but maybe the security team is in favor of sticking with
> > >> bugs.php.net.
> > >
> > > I noticed that the php-src repo does enable private vulnerability reports now, and there is one sitting around without response at https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv.
> > >
> > > Possibly this was enabled unintentionally / without coordination with the security team? That should probably either be disabled again, or someone needs to keep an eye on it.
> > 
> > I had enabled that some weeks ago, since there has been a spam attack on
> > bugsnet, so we could test the new feature.  I probably should have
> > written to list right away, or at least have kept an eye on it, but I've
> > assumed to be notified about reported issues.
> > 
> > I'll have a closer look at the rather verbose report tomorrow, if nobody
> > beats me to it.
> > 
> > Generally, I'm in favor of keeping security reports on Github enabled;
> > we should stop user (not developer) comments on bugsnet as soon as
> > possible; there is already more spam than useful comments for quite a
> > while, and I think Github offers better feature to handle that.
> > 
> > Regarding the access rights on security advisories: currently only php
> > owners[1] may see and collaborate there.  To my knowledge, most of those
> > who are subscribed to the security mailing list are already in that
> > group, but if need be, others might be added, or maybe it's preferable
> > to create a new team for this.
> > 
> > Thoughts?
> 
> Security bug reports on GitHub have been active for a while now, with about 10 reports having been processed.
> 
> I wanted to check back whether security folks are happy with the process, and whether it is time to make this the official channel for security reports, which would allow us to disable issue creation on bugs.php.net entirely. (I saw that the reports are 90% spam at this point.)

I just realized that our security policy already points at GitHub security advisories rather than bugs.php.net here: https://github.com/php/php-src/security/policy#how-do-i-report-a-security-issue

So I went ahead and submitted a PR to remove support for creation of new bug reports on bugs.php.net: https://github.com/php/web-bugs/pull/115

Regards,
Nikita
--8ea5f1d40c8e4abcb06a0d535653e683--