Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96572 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8396 invoked from network); 24 Oct 2016 05:16:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Oct 2016 05:16:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.182 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.182 mail-pf0-f182.google.com Received: from [209.85.192.182] ([209.85.192.182:34618] helo=mail-pf0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 83/C5-28528-8199D085 for ; Mon, 24 Oct 2016 01:16:09 -0400 Received: by mail-pf0-f182.google.com with SMTP id r16so91513659pfg.1 for ; Sun, 23 Oct 2016 22:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=dSIZpnaa7tkqWVVB0Dj6TIhK4lHEdtz6W8MLDKQw1L4=; b=VL9LZtb5WG1HvwbKaRggjcQVtkxXBda/DGQBik+Ur4jeR5pv/uRNZYAxRSZgPeW+tK oKZ1j9yPyKoBAnfDzRFK96FDNeo0o11JON4pMaKZbLZ0RB/qpsZoor9OMzUooS7Yrvxk PxGEWCNCL3zDnsNtUd1YxodvSi7FvoRU0qdsP1OLvAHNP+NYecP8F5XWo0ltFHsq6e1y KBKKZqOAlIdhAFelV3krgAWf/bLBD9jLS3aoecQRpprpAKIabbitdBn7MeQpM8d0lOc9 Y6Squ1iYKg8gzcUIagMsNgOA2IZ0vSGQgu8XNoD1gphOfCvbeRBjWiqkRSTpwFozJvvq FyUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=dSIZpnaa7tkqWVVB0Dj6TIhK4lHEdtz6W8MLDKQw1L4=; b=itHo4NI224C/lDD++EF6tMcsExXRaOZS5A9U5+Rz8lUZ/JoaGc5Zegpxutog4aiNWR i9nFoJcgmOljiVRSauDOoX1peTJepMQ4DyGNoUumCfPcCOoBfasJehb/W0R9ovu1KLXG CwW4F+4HuyBOJBUupO9u3DtvHgdlMDoaBvWVqMxGYOAnPSDWtr3RO9qWA+vXPiCQm73Y Sv4FYGYcjgRNKEU6SREF58LStDcTGurQI6+I0FmBvYg0+epl//lVY2RJAZYQDDROh/in 1zdHkzI46RNL8gIgZ+Z05FfYBRQyyByHo8Mf3KD99jIQFVZ70ktvk4QIAn5jVmeZum4x y5tA== X-Gm-Message-State: ABUngvcRe/VMA0rH/0HWsLI3WFCxySs3FeCt62NfqyhvvyOMQWAcEgZ45bcaqvqD/8DjWA== X-Received: by 10.99.108.130 with SMTP id h124mr20721637pgc.90.1477286164889; Sun, 23 Oct 2016 22:16:04 -0700 (PDT) Received: from Stas-Air.local ([2602:306:ce9c:e680:1890:46a7:9aa1:a4af]) by smtp.gmail.com with ESMTPSA id z6sm21342837pay.31.2016.10.23.22.16.04 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Oct 2016 22:16:04 -0700 (PDT) To: PHP Internals Message-ID: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com> Date: Sun, 23 Oct 2016 22:16:02 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Security issue handling From: smalyshev@gmail.com (Stanislav Malyshev) Hi! I'd like to discuss an issue about security bugs handling. We have a security repo which I and others check into bugs from time to time. The idea is for these to be reviewed by people having access there before we merge them, and then merge after the release. This, however, is not happening at all. The patches, as far as I know, are not reviewed at all, and merging a bunch of patches last minute with no review is extremely dangerous. I am trying my best with my patches, but I'm only human, and I feel increasingly uncomfortable having so many unreviewed patches in the release. So, how we can fix it? a. We could merge some of the patches on RC stage, even though that might expose some issues. b. We could somehow improve review mechanism beyond security repo we have now - ideas? c. Get some specific people to volunteer to review patches in security repo regularly - how? Any takers? Would like to hear thoughts on this one. -- Stas Malyshev smalyshev@gmail.com