Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96598
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67552 invoked from network); 24 Oct 2016 15:37:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Oct 2016 15:37:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.217.180 mail-ua0-f180.google.com  
Received: from [209.85.217.180] ([209.85.217.180:40150] helo=mail-ua0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F3/60-28528-BBA2E085 for <internals@lists.php.net>; Mon, 24 Oct 2016 11:37:34 -0400
Received: by mail-ua0-f180.google.com with SMTP id u14so2163722uau.7
        for <internals@lists.php.net>; Mon, 24 Oct 2016 08:37:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=QTF4jzzCChzWaseGTOxJhkLSUyfZ8XoBPu9tGAtyO0E=;
        b=x2bVRUcK5LV3D7UadgP1an8s9psMDFCEk0UyQ/zy5mBAUL6zIQBIOydbKnhnt+6eTx
         M4pi7rJXLiEsZwIIcPCsLjaQbaFz7mmtkUckVOzQMk1YyVoi9cQVaNl9HP1ILo7dCLKO
         MVilyiTYEVTGptfw4NAr9njhm++uvyLv+XOE9dzJCTm+xVNlT7W0HaKlV/0/5hBvWG0m
         qD4CIK/tsB7R5Ofgva68Q/jOHfJLjV+vQYjVnSSNg0tUMjFWPIaDirYsRRuMqAkwVsov
         Rg0dgkHX0L685aaPOYsKDpOPgBCYLunGaiiYi94/TngOLLQDbgalbqNNo1zCewwgdXK8
         B8uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=QTF4jzzCChzWaseGTOxJhkLSUyfZ8XoBPu9tGAtyO0E=;
        b=Ev7xbV95qZGaqsoH6LHXZ83lL0QWe7+wj9wx/xu6gk8nhufMO64qZ8DtQmsASc/olP
         qaTEpi+glaZGunUCgN7jobjRV2VsuUl+e9ZJg7zj7/tvZa+yJrwesZlNTz2bW7c6sN10
         R0w8xhx+YmVogruX+9rijHRKkB9lqWLUCmuwkBLtgCgXQW1/QazSyfD9kUtMvohFqULw
         AkMiSEH4/YUB0S+tiYReMmNb3xoS3nxtSiKPTSeEo+YYtlaO1IMMH4TCEeFaffdH7e4z
         f/KDxiOsdivT28/K8LGtZvhPLth+JJKfToKbtWICV1lnb/A5eA9dpROdHE6OkjUJwwzV
         YzUw==
X-Gm-Message-State: ABUngvdwTqXQpUIi8PFRsSFmQW8wWREaJL1qZ0NJa+V6y5v79PB9BfJ7P+TxmfA8Xex6C4hPK7oiYlIYmKKcmw==
X-Received: by 10.31.213.70 with SMTP id m67mr3491099vkg.43.1477323448572;
 Mon, 24 Oct 2016 08:37:28 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.20 with HTTP; Mon, 24 Oct 2016 08:37:28 -0700 (PDT)
In-Reply-To: <CACXBjugu7LWDVHPB6Eow+kWA7z6L_dKjfJUx2ojxkr=gi2kf3w@mail.gmail.com>
References: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com>
 <01a901d22e06$ca4e3450$5eea9cf0$@belski.net> <CACXBjugu7LWDVHPB6Eow+kWA7z6L_dKjfJUx2ojxkr=gi2kf3w@mail.gmail.com>
Date: Mon, 24 Oct 2016 16:37:28 +0100
X-Google-Sender-Auth: yqEnSAr32v3-l1TwCZ4YFiqdQbc
Message-ID: <CAEKnhAG00ZKqZ0_091WZcMf73cdycmuoc5ytOWZf5=NOiT00tw@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Anatol Belski <anatol.php@belski.net>, Stanislav Malyshev <smalyshev@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114eb9de5edf98053f9e2b27
Subject: Re: [PHP-DEV] Security issue handling
From: bukka@php.net (Jakub Zelenka)

--001a114eb9de5edf98053f9e2b27
Content-Type: text/plain; charset=UTF-8

On Mon, Oct 24, 2016 at 4:19 PM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> >
> > > c. Get some specific people to volunteer to review patches in security
> > > repo regularly - how? Any takers?
> > >
> > OFC it'd be ideal to have some karma holders to participate. And another
> > option, which is IMHO eligible - we could invite several reporters. There
> > is already a couple of people, who regularly report security issues and
> > keep them confident until they're publicly disclosed. IMHO it is a good
> > base for trust.
> >
>
> Yes, in the end this is about getting Stas some help here. He has been
> doing an incredible job for years now handling all these annoying
> off-by-one and >2gb string bugs. I occasionally read through the patches,
> but I haven't been doing it consistently and even though there are a few
> other people on security@ who occasionally look through the patches, it
> obviously isn't enough.
>
> As a first step perhaps we just need to expand security@ a bit with the
> specific call for volunteers to help review security patches?
>

I would be happy to help with review / fixes especially for json that I
maintain and openssl that I sort of try to maintain too. But I could also
help with review of some other exts if time allows.

Cheers

Jakub

--001a114eb9de5edf98053f9e2b27--