Hi,
> Having moved our workflow to github, now seems to be the time to seriously > consider retiring bugsnet for general use, and using the tools that are > waiting for us - Github Issues. > +1, I have been dealing with bugsnet quite a bit as part of maintaining openssl ext and FPM and it really sucks. Github issues are much better from the maintainer point of view. > I'm aware that bugsnet serves as the disclosure method for security bugs > and github doesn't have a solution to that. Leaving that to one side for > now ... > NodeJS uses hackerone which has got free plans for open source so that might be an option. I'm sure there are more options and we don't have to keep bugsnet for that too. But agree that starting with normal bugs and requests is a way to go. > I'm also aware that bugsnet carries with it 20 years worth of crusty old > feature requests and bugs, that are never realistically going to be dealt > with. In the past I've spent time trying to close very old bugs that no > longer seem relevant, the fact is that there are so many of these that I > don't think I made a dent. > Lots of them are still valid though. At least the ones for openssl and fpm that I track. It's not completely true that they are not going to be dealt with. For example just recently Christoph made a PR for pkcs7 issue reported in 2005 and I'm looking to the way how to write a test for it. Just want to say that those are still valid and we will likely need some kind of migration for many of those bugs even though OP is not active. It could be just a tool that maintainers can use for selected bugs. I guess just having some export in json for each bug would be great. Then the tool to create a new issue and comments in gh would be easy - I could even write it myself.. :) > It seems obvious that we don't want to migrate all of the data on bugsnet, > but nor do we want to loose the most recent and relevant reports. > > I propose that we disable bugsnet for all but security issues leaving > responsible disclosure method to be handled in some other way at a later > date. Leaving bugsnet in a (mostly) readonly mode. > Could we just leave it editable for VCS users only? That would help with tracking and closing the migrated issues. It would eliminate spam so it should be fine to keep it like that for some time. Cheers Jakub
