Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:120673 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 35925 invoked from network); 24 Jun 2023 21:44:53 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Jun 2023 21:44:53 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9B29B180209 for ; Sat, 24 Jun 2023 14:44:51 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 24 Jun 2023 14:44:51 -0700 (PDT) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-3f90a7325f6so24213455e9.3 for ; Sat, 24 Jun 2023 14:44:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687643089; x=1690235089; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=JIU7Xz1oazwKPPV+DlqiuzI+9RDQK+Mh0LPpmKn5v8I=; b=JQ16QmjRS0qiUx2VuO00qlxqB3bdyhhJwL+VG7IEyivOCvRytDojqS+gXapSpq7kic DCVfby7O43GmpZChWT+opJxnGogRv8Lw8snOAFxVqua4Z+Ba+Hg3eMGCRQ/mlHgoVgCd og63kWkmwOkW/7r6nch3ZxXpUCPCIvZNDoP2vivr/hXO2gCdPcI7UXNO2SjFU5niMUdr N4d6ZocKkPsKt/gaWf02Zv2AGv5MTep2BzJAln0mFTRqxwaaxzgzp0HZ6HVBrPExDL0d cYr8gCVo5H1a4GUV/GEFsV0/+ai3CiJYQSFlfKLOSYm4TGIwPzszxyjxzjVj66zrzYKr 8OcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687643089; x=1690235089; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JIU7Xz1oazwKPPV+DlqiuzI+9RDQK+Mh0LPpmKn5v8I=; b=UW7uF4pg9oexHpv4xsoTrxpuO81SpSKLXKEHguOBAHSy5GrHUu98NmJ2/sscAP2uxf +A6tRkPDn6kPb5wUuoepln7Sf+4XLubwmjQS2bUGd/7za11C+Iz0KXg45K+L6FUfNF1x 5AWuIrC/JQOCrx/O2++EBHR4eWhPxoqW1D/xbqG87mRyED8w+RBji2a/tuOUKx3nlbJ/ op+5Uf8dgAyGy/XlPzPalkV3JTG+P6WgfdBK3OXr/70m5180j3dCRwCk2Zk9EUVmlHNf PfEVJPhSN2SwaDcc66Ql7vHT5sLuZHNWL0pfye3Jk3REFeMkW7tdWC0JzKS93YAjDRgL xWlA== X-Gm-Message-State: AC+VfDwEFhjE1Me0ddX+MPKLy+kPHCaE/MrntKPJhBgKpf63I4CblBLL FfbLS0EA5wTkhkZvjjlwwEb+aGzyHV0= X-Google-Smtp-Source: ACHHUZ6IkGvddBL0jgPSISr8S6G8EAvF+pRDGNBi7q6cQbjZ8zZSL445q+mPOFTGELtuVrnjhrgzbQ== X-Received: by 2002:a5d:456c:0:b0:306:2e04:5925 with SMTP id a12-20020a5d456c000000b003062e045925mr23194480wrc.17.1687643089453; Sat, 24 Jun 2023 14:44:49 -0700 (PDT) Received: from [192.168.0.59] (178-117-137-225.access.telenet.be. [178.117.137.225]) by smtp.gmail.com with ESMTPSA id h15-20020a05600004cf00b0030e52d4c1bcsm3022442wri.71.2023.06.24.14.44.48 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 24 Jun 2023 14:44:49 -0700 (PDT) Message-ID: Date: Sat, 24 Jun 2023 23:44:40 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US To: internals@lists.php.net References: <25f35ef5-7f86-9aa3-a069-195a1ed39a91@gmx.de> <8fbb3af9-5fb5-1220-3b88-a42f5aaa40ef@gmx.de> <59f61bd5-8212-47af-857e-b452705b1811@app.fastmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC] Migrating to GitHub issues From: dossche.niels@gmail.com (Niels Dossche) On 6/24/23 21:39, Nikita Popov wrote: > On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote: >> On 30.12.2022 at 22:12, Nikita Popov wrote: >> >>> On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: >>> >>>> On 09.11.2022 at 23:27, Nikita Popov wrote: >>>> >>>>> It looks like GitHub has just added support for private security reports: >>>>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ >>>>> >>>>> I haven't looked into the details, but it probably makes sense to enable >>>>> those on php-src and make this our official venue for security bug reports. >>>>> This would allow retiring the last remaining use of bugs.php.net (well, >>>>> apart from the archive of old issues, which should of course remain). >>>> >>>> I agree, but maybe the security team is in favor of sticking with >>>> bugs.php.net. >>> >>> I noticed that the php-src repo does enable private vulnerability reports now, and there is one sitting around without response at https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. >>> >>> Possibly this was enabled unintentionally / without coordination with the security team? That should probably either be disabled again, or someone needs to keep an eye on it. >> >> I had enabled that some weeks ago, since there has been a spam attack on >> bugsnet, so we could test the new feature. I probably should have >> written to list right away, or at least have kept an eye on it, but I've >> assumed to be notified about reported issues. >> >> I'll have a closer look at the rather verbose report tomorrow, if nobody >> beats me to it. >> >> Generally, I'm in favor of keeping security reports on Github enabled; >> we should stop user (not developer) comments on bugsnet as soon as >> possible; there is already more spam than useful comments for quite a >> while, and I think Github offers better feature to handle that. >> >> Regarding the access rights on security advisories: currently only php >> owners[1] may see and collaborate there. To my knowledge, most of those >> who are subscribed to the security mailing list are already in that >> group, but if need be, others might be added, or maybe it's preferable >> to create a new team for this. >> >> Thoughts? > > Security bug reports on GitHub have been active for a while now, with about 10 reports having been processed. > > I wanted to check back whether security folks are happy with the process, and whether it is time to make this the official channel for security reports, which would allow us to disable issue creation on bugs.php.net entirely. (I saw that the reports are 90% spam at this point.) > > Regards, > Nikita > FWIW, if you press the "new issue" button on GitHub you get to this page: https://github.com/php/php-src/issues/new/choose If you choose the last option "Security Issue" you still get redirected to the bugs.php.net bugtracker. Interestingly, there's also a "Report a security vulnerability" option in the middle which brings you to the private report page on GitHub. I guess this should be updated too. Kind regards Niels