On Mon, Oct 24, 2016 at 4:19 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
> > > > > c. Get some specific people to volunteer to review patches in security > > > repo regularly - how? Any takers? > > > > > OFC it'd be ideal to have some karma holders to participate. And another > > option, which is IMHO eligible - we could invite several reporters. There > > is already a couple of people, who regularly report security issues and > > keep them confident until they're publicly disclosed. IMHO it is a good > > base for trust. > > > > Yes, in the end this is about getting Stas some help here. He has been > doing an incredible job for years now handling all these annoying > off-by-one and >2gb string bugs. I occasionally read through the patches, > but I haven't been doing it consistently and even though there are a few > other people on security@ who occasionally look through the patches, it > obviously isn't enough. > > As a first step perhaps we just need to expand security@ a bit with the > specific call for volunteers to help review security patches? > I would be happy to help with review / fixes especially for json that I maintain and openssl that I sort of try to maintain too. But I could also help with review of some other exts if time allows. Cheers Jakub
