Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96662
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60325 invoked from network); 30 Oct 2016 22:00:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Oct 2016 22:00:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.179 mail-pf0-f179.google.com  
Received: from [209.85.192.179] ([209.85.192.179:34420] helo=mail-pf0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A3/27-25911-89D66185 for <internals@lists.php.net>; Sun, 30 Oct 2016 17:00:57 -0500
Received: by mail-pf0-f179.google.com with SMTP id n85so65856510pfi.1
        for <internals@lists.php.net>; Sun, 30 Oct 2016 15:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=+447I/qtYy4Bx2relGXkXvCu5qODsCFwXjGRzY4pF14=;
        b=IKQCh4cIP4DdTvWrtv/0WOkaxXAIMz2RoH6oKg/3SIRWMmcZtuE+Au+gdBMwAa7GnT
         T1zWiUnGJeW8sP7zbgkk4AfWlOJ3ho935oxkZOA9WRl1y2lDtPIBypGyIH16/4oNgKDd
         lb6/Ip2aWiUfQpjrJBAi4+ZnSqUCCeXLahk903mNrrGXXNWd7dUuk3nHFqEufxs/WRzJ
         LrYkIQa5YHQxtd+qJTF7YrczAEq7/kTLcp+J+CQceCvZmU+DpF9APkZguLnaBSd99RmL
         0+pOjSgAaSjFV28gEWqHpsAoL8cso3nGkYkaIlAhnkaVFILFF7Qedc32/s1JW3hYbQ5p
         6OCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=+447I/qtYy4Bx2relGXkXvCu5qODsCFwXjGRzY4pF14=;
        b=lQTlIkHZe2Qmn2EP2xDNJvG3AoTNFDtZaFm3chIgMYGEf0LW7UUQBiPOOqnKswZvSU
         t6m1v4sZ5cuTyRaaGLns7E+F5b2k5oQQHZ7c5mGNaeeQN099Hx42rX92HYfKgjVwh89i
         eICa6qDJwZd/Of1ivX6Y+zC4BAlYzebdZZsqPjWkYNLoCk6Q+RrZiYKue6vUgCw0KQ11
         G6jCLc5YmAFlV9kjbXhQHuCoq0FqNEB/HObJF+Th2r2Fbh49yDfIS4p6gSdO2vxQKQuw
         u0jY3DbKYujOHlkG8sOQNGoHwaaFpe1uZOC/YAVNM5OXKCMUVH23HGXnpkAEAFBnyebO
         Hyrg==
X-Gm-Message-State: ABUngvdWA+fML7lrDegUqbRYLp03+O3tjANnpf2gxowFkbegKYVT073jNWLUlAx+HDQLfg==
X-Received: by 10.98.92.68 with SMTP id q65mr43502342pfb.53.1477864853024;
        Sun, 30 Oct 2016 15:00:53 -0700 (PDT)
Received: from Stas-Air-3.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104])
        by smtp.gmail.com with ESMTPSA id lf4sm4395719pab.28.2016.10.30.15.00.52
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 30 Oct 2016 15:00:52 -0700 (PDT)
To: Anatol Belski <anatol.php@belski.net>,
 'PHP Internals' <internals@lists.php.net>
References: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com>
 <01a901d22e06$ca4e3450$5eea9cf0$@belski.net>
Message-ID: <d8d88f58-a632-45d6-ba02-b9f9582eb30b@gmail.com>
Date: Sun, 30 Oct 2016 15:00:51 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <01a901d22e06$ca4e3450$5eea9cf0$@belski.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Security issue handling
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> release. Say, as we do it now, we tag two days before. It could be
> defined, for example, that any security patches intended for release
> inclusion, have to be merged into security repo, ported and tested 5
> days before tag. Fe Thursday/Friday in week before final, it is

That's nice but most patches right now are in security repo long before,
and still nobody reviews them. Also, the reality is that I mostly work
on patches on weekends, so that means either any of the patches I work
on one of the 4 weekends can't be merged for a month or we need a better
model.

> Maybe, it'd make sense also to have a finer privileges system on BT.
> Fe, several people could be allowed to review some selected tickets
> on BT, without having the actual security repo access. Say, any
> security team participant would be able to assign some new reviewer
> to a particular ticket.

That probably can be done, but let's say it's done now. Who I would be
assigning to the new issue? I have no idea who wants/can review it.

> OFC it'd be ideal to have some karma holders to participate. And
> another option, which is IMHO eligible - we could invite several
> reporters. There is already a couple of people, who regularly report
> security issues and keep them confident until they're publicly
> disclosed. IMHO it is a good base for trust.

The reporter is asked to review the patch anyway. I don't think I feel
comfortable inviting other reporters - unless I know who they are, which
right now is not true for most of them.

> Also, having people even without iternals knowledge, that could just
> test, were useful as well. For that case, we could find more people
> even without php-src karma or access to the security repos. Providing
> some test binaries only wouldn't be that hard. In that case, while we
> couldn't disclose the actual security issues, the "blind testing"
> could have a positive effect in determining unforeseen issues, too.

Hmm I don't know. I certainly won't have time to arrange binary builds
usable for people with no dev knowledge, but if somebody volunteers to
organize it, fine. But that again means a) disclosing security issues to
people before fix is available, so this should be people we know and b)
that should be people that want to commit substantial amount of time.

-- 
Stas Malyshev
smalyshev@gmail.com