On Sat, Jun 24, 2023, at 21:39, Nikita Popov wrote: > On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote: > > On 30.12.2022 at 22:12, Nikita Popov wrote: > > > > > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: > > > > > >> On 09.11.2022 at 23:27, Nikita Popov wrote: > > >> > > >>> It looks like GitHub has just added support for private security > > >>> reports: > > >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ > > >>> > > >>> I haven't looked into the details, but it probably makes sense to enable > > >>> those on php-src and make this our official venue for security bug > > >>> reports. > > >>> This would allow retiring the last remaining use of bugs.php.net (well, > > >>> apart from the archive of old issues, which should of course remain). > > >> > > >> I agree, but maybe the security team is in favor of sticking with > > >> bugs.php.net. > > > > > > I noticed that the php-src repo does enable private vulnerability reports > > > now, and there is one sitting around without response at > > > https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. > > > > > > Possibly this was enabled unintentionally / without coordination with the > > > security team? That should probably either be disabled again, or someone > > > needs to keep an eye on it. > > > > I had enabled that some weeks ago, since there has been a spam attack on > > bugsnet, so we could test the new feature. I probably should have > > written to list right away, or at least have kept an eye on it, but I've > > assumed to be notified about reported issues. > > > > I'll have a closer look at the rather verbose report tomorrow, if nobody > > beats me to it. > > > > Generally, I'm in favor of keeping security reports on Github enabled; > > we should stop user (not developer) comments on bugsnet as soon as > > possible; there is already more spam than useful comments for quite a > > while, and I think Github offers better feature to handle that. > > > > Regarding the access rights on security advisories: currently only php > > owners[1] may see and collaborate there. To my knowledge, most of those > > who are subscribed to the security mailing list are already in that > > group, but if need be, others might be added, or maybe it's preferable > > to create a new team for this. > > > > Thoughts? > > Security bug reports on GitHub have been active for a while now, with about > 10 reports having been processed. > > I wanted to check back whether security folks are happy with the process, and > whether it is time to make this the official channel for security reports, > which would allow us to disable issue creation on bugs.php.net entirely. (I > saw that the reports are 90% spam at this point.)
I just realized that our security policy already points at GitHub security advisories rather than bugs.php.net here: https://github.com/php/php-src/security/policy#how-do-i-report-a-security-issue So I went ahead and submitted a PR to remove support for creation of new bug reports on bugs.php.net: https://github.com/php/web-bugs/pull/115 Regards, Nikita
