rethinking security issues in bugs db

8 years ago by Stanislav Malyshev — view source

unread

Hi!

I think the way security/private issues are implemented now in bugs DB
is wrong. It allows only access to a handful of people, and many package
maintainers and people that know the code in question are excluded. This
makes promptly handling bugs very hard. I propose one of:

Adding a lot more people to trusted list
Implementing functionality allowing to add people to private bug on
per-bug basis.

As a stepping stone for (2) I think we should always allow access to the
person the bug is assigned to. If I hear no objections, I'll implement
it first (the full fix probably requires DB access which I don't have).

Thoughts?

Stas Malyshev
smalyshev@gmail.com

8 years ago by Niklas Keller — view source

unread

2016-08-15 19:12 GMT+02:00 Stanislav Malyshev smalyshev@gmail.com:

Hi!

I think the way security/private issues are implemented now in bugs DB
is wrong. It allows only access to a handful of people, and many package
maintainers and people that know the code in question are excluded. This
makes promptly handling bugs very hard. I propose one of:

Adding a lot more people to trusted list

Implementing functionality allowing to add people to private bug on
per-bug basis.

As a stepping stone for (2) I think we should always allow access to the
person the bug is assigned to. If I hear no objections, I'll implement
it first (the full fix probably requires DB access which I don't have).

For that to work, we probably need user accounts first for those without
PHP.net account.

It's anyway bad to have per bug passwords instead of simple user accounts
where you can see all your reported bugs without a PHP.net account.

Regards, Niklas

8 years ago by Christoph M. Becker — view source

unread

It's anyway bad to have per bug passwords instead of simple user accounts
where you can see all your reported bugs without a PHP.net account.

Well, the advanced search allows to filter by author email, e.g.
https://bugs.php.net/search.php?search_for=&boolean=0&limit=30&order_by=&direction=DESC&cmd=display&status=Open&bug_type=All&project=All&php_os=&phpver=&cve_id=&assign=&author_email=me%40kelunik.com&bug_age=0&bug_updated=0.

--
Christoph M. Becker

8 years ago by Kalle Sommer Nielsen — view source

unread

Hi Stas

2016-08-15 19:12 GMT+02:00 Stanislav Malyshev smalyshev@gmail.com:

Hi!

I think the way security/private issues are implemented now in bugs DB
is wrong. It allows only access to a handful of people, and many package
maintainers and people that know the code in question are excluded. This
makes promptly handling bugs very hard. I propose one of:

Adding a lot more people to trusted list

Implementing functionality allowing to add people to private bug on
per-bug basis.

I don't see why we cannot have both? Have active Core Developers added
to the trusted-devs.inc and an option to add in additional developers
that may not be on the list that could be of relation to the bug.

--
regards,

Kalle Sommer Nielsen
kalle@php.net