Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73247 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79810 invoked from network); 17 Mar 2014 21:59:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Mar 2014 21:59:54 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.41 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.213.41 mail-yh0-f41.google.com Received: from [209.85.213.41] ([209.85.213.41:35391] helo=mail-yh0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 72/93-17561-95077235 for ; Mon, 17 Mar 2014 16:59:54 -0500 Received: by mail-yh0-f41.google.com with SMTP id v1so6003535yhn.14 for ; Mon, 17 Mar 2014 14:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LDoQOzZeKCfDBFBAzaiOEv1iezk1UVDNPPAwblhTkZc=; b=pd6sdCnKYKiL+yNSpFKWDjuL18Cm+XYatLoF7pN0SDZfgMFaBV8MjTutx/yJgcHjNa m2PgBtyzDcqycaQlPG7RMpsctpskBFBliCa9FZ46jxsOh5eEN2QAGpESbpF4gFdp4iZh zpC5l0xNgeuEPdqBNRr6Baks76oD9qtUs3Fqw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=LDoQOzZeKCfDBFBAzaiOEv1iezk1UVDNPPAwblhTkZc=; b=JV4Xs3610pqIl8ekBgs0g3xIeSkWLNO844cm5hv9KLp5RRwY2Kv5fgQZ7a/lQFtn50 D66lGlsQwsTjbXRnrZr/diOmUKnc30FPUb2W861A6Y3+E85lcuKwdYzH7T/fEg7l6MHb NH2nzgOM9oW2l+OTmV4Zst7q7bJ7Cj5TyZEZgO6WTtIAxdQb1vRNWmtipcTmUcz5XYOY 04M5v0FVMHgow8+N+jw5G3Tm+QeEYuYYYpN/Cvc0iuKLeVzqYSTpy39qzAIGa1plsdyU PME3vz+qJuk+KWpfG3qm1edzlo7IZn7kOGrEv5WgCNqM/oKq7VPa2d33X03lpIKOTL46 pvEQ== X-Gm-Message-State: ALoCoQkqTyUSs+Qm4/m5Avgv3sDxOJwBmThGjoVxfIr70RDxnFuy8M+fZNyCYNTZoTTDGkvuDD88 MIME-Version: 1.0 X-Received: by 10.236.201.77 with SMTP id a53mr6676945yho.104.1395093591640; Mon, 17 Mar 2014 14:59:51 -0700 (PDT) Received: by 10.170.188.139 with HTTP; Mon, 17 Mar 2014 14:59:51 -0700 (PDT) In-Reply-To: References: Date: Mon, 17 Mar 2014 23:59:51 +0200 Message-ID: To: Pierre Joye Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Session: deprecating create_sid() method and add createSid()? From: narf@devilix.net (Andrey Andreev) Hi, On Mon, Mar 17, 2014 at 11:15 PM, Pierre Joye wrote: > hi, > > On Mon, Mar 17, 2014 at 10:09 PM, Yasuo Ohgaki wrote: > > For one, I appreciate the effort that both of you put on the session management. > > It seems that you are somehow alone to discuss this issue and slightly > in circle right now. > > I would suggest two steps: > > - sit down together for a chat and get your stuff together. It will by > far more efficient than mails > > - write one or more RFCs to fix what should be fixed, how and why (see > next point :) > > - provide more info about the actual critical security impact that > could be fixed by the changes > as of now, I failed to see any CVE related to what you are referring to We'll surely do that. In fact, I was just about to write Yasuo a private mail about some security issues, because I didn't find an option to report a bug and make it hidden. Is there such an option, or does the CVE assignment process allow that? (I'm not familiar with it) Cheers, Andrey.