Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96706 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74277 invoked from network); 2 Nov 2016 11:14:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Nov 2016 11:14:54 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.41 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.218.41 mail-oi0-f41.google.com Received: from [209.85.218.41] ([209.85.218.41:35169] helo=mail-oi0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 99/B3-34238-DAAC9185 for ; Wed, 02 Nov 2016 06:14:54 -0500 Received: by mail-oi0-f41.google.com with SMTP id x4so12665908oix.2 for ; Wed, 02 Nov 2016 04:14:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bsjiwY50bwHiPD+6iGgKnH2yVc2G608dMF+I9XtKC0A=; b=fuge0UyOz8IXa+Vfr6NXpA0SC4yw1wXofS8Ayzgc1NCVERXJ/IktxfNu1Epv5WpPnE 6gqi7MhkmDgFXJt0HrnIytFPNJflzNp5QuE/IukZQqZMt4ath7F4Rl4OS19bpO8celPT /RR22sPMHm0zSdlZZli57CW6eOzG9IlFzSK+o2AF3MfB88jf7/mngzLqtn2TSdC5EP5W uknleVUBkn1sS0gDAEL07h1wai0tmRNMnDaNjiP0nbCUKZ5ChRuZhst29Gk9ngmHbPD/ P4UahpIFa/LAPpVombe3NCmlj4Uc7JSgTx2LzLLv5pcw0fMhwSz50/o+vlsF6RLbr5uE dF3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bsjiwY50bwHiPD+6iGgKnH2yVc2G608dMF+I9XtKC0A=; b=G7IbHQuaEnZRuefSek3SVSm85YijBcj9GfDv+6m30a8zC66PLTU8QEuWlipSyhpc7A Y3vO+x4/TvhJiVYIxiggDdJCqB5F8ZYOlLHQ+nQgtcXqS1AzJez3l6kVANXUXEZtGcGr Df7KbpcE9cuTXY4Fs9SbldTYPntb+eA+KaS5nYtFOYcYnOd6ZaT21/WER2Gr1512HnGe t5fIIRa+sl2O4gVuVd8bIDO5zqbo7l1Wr+3YDsr4x1qbRaNiZQHrReAJ3QbtT3kXdZjI pPmCYGVOBI07g7VQv5xnaJNVM/rECTf/d8MH4n88R6oyc9LVSOLbypiFRozbBF6GaP6i /lLw== X-Gm-Message-State: ABUngvd/UMykHbMXwkL+h1Zo2QVkmPyyrUGdcmeb/iQbLaTJRXkTstGK2hthDV+qqOsFsaL0w9Qri3ZaEzg8Ug== X-Received: by 10.157.60.174 with SMTP id z43mr1743378otc.178.1478085290619; Wed, 02 Nov 2016 04:14:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.189.10 with HTTP; Wed, 2 Nov 2016 04:14:50 -0700 (PDT) In-Reply-To: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com> References: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com> Date: Wed, 2 Nov 2016 11:14:50 +0000 Message-ID: To: Stanislav Malyshev Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Security issue handling From: leight@gmail.com (Leigh) On 24 October 2016 at 06:16, Stanislav Malyshev wrote: > Hi! > > I'd like to discuss an issue about security bugs handling. > > We have a security repo which I and others check into bugs from time to > time. The idea is for these to be reviewed by people having access there > before we merge them, and then merge after the release. > > This, however, is not happening at all. The patches, as far as I know, > are not reviewed at all, and merging a bunch of patches last minute with > no review is extremely dangerous. I am trying my best with my patches, > but I'm only human, and I feel increasingly uncomfortable having so many > unreviewed patches in the release. > > So, how we can fix it? > > a. We could merge some of the patches on RC stage, even though that > might expose some issues. > b. We could somehow improve review mechanism beyond security repo we > have now - ideas? > c. Get some specific people to volunteer to review patches in security > repo regularly - how? Any takers? > > Would like to hear thoughts on this one. > -- > Stas Malyshev > smalyshev@gmail.com Hey Stas, If it's extra volunteers that you need, I would also be happy to help out where I can, investigating reported issues, writing and reviewing patches. * I have a provable interest in security * I've submitted security issues (to PHP and other projects) in the past * I have worked on security features for the PHP runtime in the past * I already have karma \o/ Regards, Leigh.