Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95199
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84495 invoked from network); 15 Aug 2016 17:28:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Aug 2016 17:28:51 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.161] ([81.169.146.161:23877] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EC/67-36656-1DBF1B75 for <internals@lists.php.net>; Mon, 15 Aug 2016 13:28:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1471282127; l=2682;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=WJU3XLrJAH/SlLa57WSzttwjlIhfam6Mewh8vJoa6L4=;
	b=n+K3vjeFJzVi0R0xMhXuMWLH8FmvnEVUGGNDcTMW+JwBE2cPv1K/dNgsmgYzBJZl1+i
	PEK69UHzujuDJFjNk6jFv9yDc56oDUxe3704K5GKkZvI+GQWuij9KbkFKAQXgw8qAlFrJ
	eBOr6jJ/8tnBpVXNmZbSCyTUxLP4CrTeF0E=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3s6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f48.google.com ([74.125.82.48])
	by smtp.strato.de (RZmta 38.13 AUTH)
	with ESMTPSA id j0a9ees7FHSlCef
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Mon, 15 Aug 2016 19:28:47 +0200 (CEST)
Received: by mail-wm0-f48.google.com with SMTP id o80so116790058wme.1
        for <internals@lists.php.net>; Mon, 15 Aug 2016 10:28:47 -0700 (PDT)
X-Gm-Message-State: AEkooutJDXnJ1RuGrIWgX5Py/tqomnXLqnWKdtBHLGYaBXKR0U4UW3KNAC0qRad+z4F/a1pcykVZfrTzEl6xYg==
X-Received: by 10.195.12.77 with SMTP id eo13mr32581866wjd.142.1471282126921;
 Mon, 15 Aug 2016 10:28:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.27.206 with HTTP; Mon, 15 Aug 2016 10:28:46 -0700 (PDT)
In-Reply-To: <b1d9849a-0636-21ad-94a4-0b0882f03c9e@gmail.com>
References: <b1d9849a-0636-21ad-94a4-0b0882f03c9e@gmail.com>
Date: Mon, 15 Aug 2016 19:28:46 +0200
X-Gmail-Original-Message-ID: <CANUQDChTYejuWD959y8qaxcZ3Vvy8=LmP9pG9gm83wKX7W+Y+g@mail.gmail.com>
Message-ID: <CANUQDChTYejuWD959y8qaxcZ3Vvy8=LmP9pG9gm83wKX7W+Y+g@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7bd9172a8a341c053a1f90e8
Subject: Re: [PHP-DEV] rethinking security issues in bugs db
From: me@kelunik.com (Niklas Keller)

--047d7bd9172a8a341c053a1f90e8
Content-Type: text/plain; charset=UTF-8

2016-08-15 19:12 GMT+02:00 Stanislav Malyshev <smalyshev@gmail.com>:

> Hi!
>
> I think the way security/private issues are implemented now in bugs DB
> is wrong. It allows only access to a handful of people, and many package
> maintainers and people that know the code in question are excluded. This
> makes promptly handling bugs very hard. I propose one of:
>
> 1. Adding a lot more people to trusted list
> 2. Implementing functionality allowing to add people to private bug on
> per-bug basis.
>
> As a stepping stone for (2) I think we should always allow access to the
> person the bug is assigned to. If I hear no objections, I'll implement
> it first (the full fix probably requires DB access which I don't have).


For that to work, we probably need user accounts first for those without
PHP.net account.

It's anyway bad to have per bug passwords instead of simple user accounts
where you can see all your reported bugs without a PHP.net account.

Regards, Niklas

--047d7bd9172a8a341c053a1f90e8--