Morning, Stas, consider Leigh vouched for, please add him to sec lists and private bugs.
Cheers Joe On Wed, Nov 2, 2016 at 11:14 AM, Leigh <lei...@gmail.com> wrote: > On 24 October 2016 at 06:16, Stanislav Malyshev <smalys...@gmail.com> > wrote: > > Hi! > > > > I'd like to discuss an issue about security bugs handling. > > > > We have a security repo which I and others check into bugs from time to > > time. The idea is for these to be reviewed by people having access there > > before we merge them, and then merge after the release. > > > > This, however, is not happening at all. The patches, as far as I know, > > are not reviewed at all, and merging a bunch of patches last minute with > > no review is extremely dangerous. I am trying my best with my patches, > > but I'm only human, and I feel increasingly uncomfortable having so many > > unreviewed patches in the release. > > > > So, how we can fix it? > > > > a. We could merge some of the patches on RC stage, even though that > > might expose some issues. > > b. We could somehow improve review mechanism beyond security repo we > > have now - ideas? > > c. Get some specific people to volunteer to review patches in security > > repo regularly - how? Any takers? > > > > Would like to hear thoughts on this one. > > -- > > Stas Malyshev > > smalys...@gmail.com > > Hey Stas, > > If it's extra volunteers that you need, I would also be happy to help > out where I can, investigating reported issues, writing and reviewing > patches. > > * I have a provable interest in security > * I've submitted security issues (to PHP and other projects) in the past > * I have worked on security features for the PHP runtime in the past > * I already have karma \o/ > > Regards, > > Leigh. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
