Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95198 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80968 invoked from network); 15 Aug 2016 17:12:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2016 17:12:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pf0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:33392] helo=mail-pf0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/A6-36656-908F1B75 for ; Mon, 15 Aug 2016 13:12:42 -0400 Received: by mail-pf0-f179.google.com with SMTP id y134so18522504pfg.0 for ; Mon, 15 Aug 2016 10:12:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=V5Bs4TFoaNcE0TwolZPF0GQY86oGrFKq9nCDByR5dG8=; b=wSQZjRaDxoVOKfMozTRm9pp/HVT6SY744CVeipM/2qA/ueDAiJ81XewVKG09B64SCN zQuwIJ3HN0EAY5WbWzP14QT+0VmyLD1C3cgYelzEjmjotRBu40BXvqNKKSJ9fvlUjCNM R/BboxO1l3yC5vS9+iuAE9vRBfMMyiEmPAT1JuOdV3J622dyZZvW64KyIwf1xmpY+wJl qxrZRN9wmnkU3oc1oPmo+2Kxepfcwnpx9aC3seZW0puREy17/wvbIG5hmwOzJz25/jdq TWo8vcboLm/6aUwvwTCNRrSiTh84a+uk+vMjmQE93C/SROCg9h/dPsJndfDsCmFgtz/8 1RfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=V5Bs4TFoaNcE0TwolZPF0GQY86oGrFKq9nCDByR5dG8=; b=aBuiavdeZHArgQSS0GYoMGKm69oxccwLWmRjOxULXhrcKryf5vXneZf5CXVkh8Mhjh yae6xsiKhuFLHxPyPLLHQbrFfwzc3Bq8783zXEBFDLJw9N0+RpP7i/e7e6NktTz0rKzv 0s0DdzrhVWos2Z38T7XfGdoQUfgNUdxv3Gqz+FydREpiNyLCEc0CWzBgt4WUTBh7ioyk EX5cUfIs+pPkCZyWvXTlhegTmFJuoIVqQfwZlL3GBgtGH7cNOWQX+KG1rxHqbBFqZhBG qXkl5/xH2PZ2jF3XzsVsVWNhY6B9cWnvbkVGe+nNomeIl9r8xiIs3ZQNDCBvUMStQMY/ SNgA== X-Gm-Message-State: AEkoous8LxjoKfu4SQBnAWBbxLHU86D7ZppP/pE+9Vg16v+rcqteJ0hO43ccaSA7umyznQ== X-Received: by 10.98.87.138 with SMTP id i10mr56086097pfj.16.1471281159192; Mon, 15 Aug 2016 10:12:39 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id g27sm32836050pfd.47.2016.08.15.10.12.38 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Aug 2016 10:12:38 -0700 (PDT) To: PHP Internals Message-ID: Date: Mon, 15 Aug 2016 10:12:37 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: rethinking security issues in bugs db From: smalyshev@gmail.com (Stanislav Malyshev) Hi! I think the way security/private issues are implemented now in bugs DB is wrong. It allows only access to a handful of people, and many package maintainers and people that know the code in question are excluded. This makes promptly handling bugs very hard. I propose one of: 1. Adding a lot more people to trusted list 2. Implementing functionality allowing to add people to private bug on per-bug basis. As a stepping stone for (2) I think we should always allow access to the person the bug is assigned to. If I hear no objections, I'll implement it first (the full fix probably requires DB access which I don't have). Thoughts? -- Stas Malyshev smalyshev@gmail.com