Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96707
Return-Path: <pthreads@pthreads.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76153 invoked from network); 2 Nov 2016 11:29:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Nov 2016 11:29:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=pthreads@pthreads.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=pthreads@pthreads.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain pthreads.org from 74.125.82.43 cause and error)
X-PHP-List-Original-Sender: pthreads@pthreads.org
X-Host-Fingerprint: 74.125.82.43 mail-wm0-f43.google.com  
Received: from [74.125.82.43] ([74.125.82.43:37297] helo=mail-wm0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E4/14-34238-A1EC9185 for <internals@lists.php.net>; Wed, 02 Nov 2016 06:29:30 -0500
Received: by mail-wm0-f43.google.com with SMTP id t79so30606988wmt.0
        for <internals@lists.php.net>; Wed, 02 Nov 2016 04:29:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pthreads-org.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=HRe7RSlmldKvque5vx8P0i2wi/5ybXJQMFy5G242MBc=;
        b=KbZA930IvpvgIcPK2S+TXuy93sWfH9Qmfln6i8hrspzsxoAU48axtLSWHjJe8ShJiF
         R6vq4odmld0xa6MkO7qHIhx0gnmeyeQq1rRKWzTaxq2wGSTkNyb1uKUTpreoQpiOYjP7
         cyAJxiTjB3i48pAjSH1nJqzEdWtWmi46UM41O/I2vjGSfgV+UO97HV//+7TypbQl3PJB
         j0ciaYjzV8uul0OXh+Lc6SleCPXF2c3rY9lXFNFoMmOzIRqi8+/M+IxFG3Gdy+VC/CvC
         9C+yFwoEnVcvi9RX+MmdCq3Vn6fLF5iydpcEOdbza/YSHB0VY4PhHHmxra3rH6fy3UOz
         3YSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=HRe7RSlmldKvque5vx8P0i2wi/5ybXJQMFy5G242MBc=;
        b=eHZGndcykUHUY1R9hn1Cun7CWrumho/kg6/31xEEsptv/s6q+VpUct7UGHWwcnwnh4
         YIzhSd3NJCEkLOR/v3VDLf0F0MG2oEHXcGWhWW2bcRuY9cXjAkWI6fswOnevge8E62aF
         WSq7gX5iuusywQbJ6qhrGKa7MxQSHcbivJbUi4eUFpSRLga3G+klMa8mqWIaaSmp6L4j
         zKCfL7nbSB5VwAs3f8HmAHKdJTcL/hvLOm4iuzZQZ4MisMbr0oRnxo7fAG0T7eEkTuP/
         wMkkTuxJPz2FFxQOFEZ9MiAJOaKkmAw6U2rrIjbaVDqaeQ2H905Z/t++vbDhUYfL4oNE
         QJfQ==
X-Gm-Message-State: ABUngvfZ3Q0mHzbf2FKJDi/XZ1lmsmU6ZGkZtbd/xtM0tEnRi3E33sl5MRq1+h4jKRgNgP2ct3Zn0Efz/1XUlQ==
X-Received: by 10.194.87.42 with SMTP id u10mr2446924wjz.213.1478086167357;
 Wed, 02 Nov 2016 04:29:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.161.230 with HTTP; Wed, 2 Nov 2016 04:29:26 -0700 (PDT)
X-Originating-IP: [109.157.179.157]
In-Reply-To: <CAPwsocHrfTc-Hxn+XmfMzGaHnY9xXFGRn-LspfN693Y7+uVHKA@mail.gmail.com>
References: <3a5408bc-b71d-920c-45e4-b9be02350b6c@gmail.com> <CAPwsocHrfTc-Hxn+XmfMzGaHnY9xXFGRn-LspfN693Y7+uVHKA@mail.gmail.com>
Date: Wed, 2 Nov 2016 11:29:26 +0000
Message-ID: <CAL=_i_=os-YE+PEn4hiLHOnsbOXe+oddf4+MXTw5t3CpEos2Jw@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0102e3d0f42d3e05404fc046
Subject: Re: [PHP-DEV] Security issue handling
From: pthreads@pthreads.org (Joe Watkins)

--089e0102e3d0f42d3e05404fc046
Content-Type: text/plain; charset=UTF-8

Morning,

Stas, consider Leigh vouched for, please add him to sec lists and private
bugs.

Cheers
Joe

On Wed, Nov 2, 2016 at 11:14 AM, Leigh <leight@gmail.com> wrote:

> On 24 October 2016 at 06:16, Stanislav Malyshev <smalyshev@gmail.com>
> wrote:
> > Hi!
> >
> > I'd like to discuss an issue about security bugs handling.
> >
> > We have a security repo which I and others check into bugs from time to
> > time. The idea is for these to be reviewed by people having access there
> > before we merge them, and then merge after the release.
> >
> > This, however, is not happening at all. The patches, as far as I know,
> > are not reviewed at all, and merging a bunch of patches last minute with
> > no review is extremely dangerous. I am trying my best with my patches,
> > but I'm only human, and I feel increasingly uncomfortable having so many
> > unreviewed patches in the release.
> >
> > So, how we can fix it?
> >
> > a. We could merge some of the patches on RC stage, even though that
> > might expose some issues.
> > b. We could somehow improve review mechanism beyond security repo we
> > have now - ideas?
> > c. Get some specific people to volunteer to review patches in security
> > repo regularly - how? Any takers?
> >
> > Would like to hear thoughts on this one.
> > --
> > Stas Malyshev
> > smalyshev@gmail.com
>
> Hey Stas,
>
> If it's extra volunteers that you need, I would also be happy to help
> out where I can, investigating reported issues, writing and reviewing
> patches.
>
> * I have a provable interest in security
> * I've submitted security issues (to PHP and other projects) in the past
> * I have worked on security features for the PHP runtime in the past
> * I already have karma \o/
>
> Regards,
>
> Leigh.
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--089e0102e3d0f42d3e05404fc046--