Re: [PHP-DEV] Security issue handling

2016-11-11 Thread Derick Rethans
On Wed, 2 Nov 2016, Joe Watkins wrote: > Morning, > > Stas, consider Leigh vouched for, please add him to sec lists and private > bugs. I've given him karma to look at the security (private) bugs. cheers, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: ht

Re: [PHP-DEV] Security issue handling

2016-11-09 Thread Kalle Sommer Nielsen
2016-11-10 0:43 GMT+01:00 Anatol Belski : > At this point, what were our course of action? Seems there might be multiple > tasks > > - granting the willing devs security karma > - setting up a private CI > - organizing a security team > > It probably would make sense, to make some plan on what is

RE: [PHP-DEV] Security issue handling

2016-11-09 Thread Anatol Belski
Hi, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Saturday, November 5, 2016 8:13 PM > To: Matteo Beccati ; PHP Internals > > Subject: Re: [PHP-DEV] Security issue handling > > Hi! > > > On 24/10/2016 07:16, Stan

Re: [PHP-DEV] Security issue handling

2016-11-06 Thread Leigh
On Sat, 5 Nov 2016 at 19:13 Stanislav Malyshev wrote: > Hi! > > > On 24/10/2016 07:16, Stanislav Malyshev wrote: > >> c. Get some specific people to volunteer to review patches in security > >> repo regularly - how? Any takers? > > > > I'd be happy to help with reviewing and also setting up a pri

Re: [PHP-DEV] Security issue handling

2016-11-05 Thread Stanislav Malyshev
Hi! > On 24/10/2016 07:16, Stanislav Malyshev wrote: >> c. Get some specific people to volunteer to review patches in security >> repo regularly - how? Any takers? > > I'd be happy to help with reviewing and also setting up a private C.I. > to build and run the test suite regularly, if you think

Re: [PHP-DEV] Security issue handling

2016-11-03 Thread Matteo Beccati
Hi, On 24/10/2016 07:16, Stanislav Malyshev wrote: > c. Get some specific people to volunteer to review patches in security > repo regularly - how? Any takers? I'd be happy to help with reviewing and also setting up a private C.I. to build and run the test suite regularly, if you think that's a g

Re: [PHP-DEV] Security issue handling

2016-11-02 Thread Joe Watkins
Morning, Stas, consider Leigh vouched for, please add him to sec lists and private bugs. Cheers Joe On Wed, Nov 2, 2016 at 11:14 AM, Leigh wrote: > On 24 October 2016 at 06:16, Stanislav Malyshev > wrote: > > Hi! > > > > I'd like to discuss an issue about security bugs handling. > > > > We ha

Re: [PHP-DEV] Security issue handling

2016-11-02 Thread Leigh
On 24 October 2016 at 06:16, Stanislav Malyshev wrote: > Hi! > > I'd like to discuss an issue about security bugs handling. > > We have a security repo which I and others check into bugs from time to > time. The idea is for these to be reviewed by people having access there > before we merge them,

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Yasuo Ohgaki
Hi all, On Wed, Nov 2, 2016 at 7:28 AM, Jakub Zelenka wrote: > On Sun, Oct 30, 2016 at 10:09 PM, Stanislav Malyshev > wrote: > > >> >> >> Great, thanks! So besides assigning the issues for the said extensions >> to you, what model for coordinating reviews would you prefer? >> > > I'm not sure wh

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Jakub Zelenka
Hi On Sun, Oct 30, 2016 at 10:09 PM, Stanislav Malyshev wrote: > > > Great, thanks! So besides assigning the issues for the said extensions > to you, what model for coordinating reviews would you prefer? > I'm not sure what the current flow is but it would be great to send info about fixed iss

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Christoph M. Becker
On 01.11.2016 at 02:39, Anatol Belski wrote: > […] And as a fallback, if no enough reaction is to see, check other > ways to achieve more QA. […] Not directly related to this thread, but to QA in general: could somebody please fix ? The page is down for m

RE: [PHP-DEV] Security issue handling

2016-10-31 Thread Anatol Belski
Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Sunday, October 30, 2016 11:01 PM > To: Anatol Belski ; 'PHP Internals' > > Subject: Re: [PHP-DEV] Security issue handling > > Hi! > > > release. S

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread 陈亮
Hi, >> OFC it'd be ideal to have some karma holders to participate. And >> another option, which is IMHO eligible - we could invite several >> reporters. There is already a couple of people, who regularly report >> security issues and keep them confident until they're publicly >> disclosed. IMHO i

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread Stanislav Malyshev
Hi! > I would be happy to help with review / fixes especially for json that I > maintain and openssl that I sort of try to maintain too. But I could > also help with review of some other exts if time allows. Great, thanks! So besides assigning the issues for the said extensions to you, what model

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread Stanislav Malyshev
Hi! > release. Say, as we do it now, we tag two days before. It could be > defined, for example, that any security patches intended for release > inclusion, have to be merged into security repo, ported and tested 5 > days before tag. Fe Thursday/Friday in week before final, it is That's nice but

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Kalle Sommer Nielsen
2016-10-24 17:19 GMT+02:00 Rasmus Lerdorf : > As a first step perhaps we just need to expand security@ a bit with the > specific call for volunteers to help review security patches? Maybe we should make the security issues available to those who actively contributes to PHP, like Jakub, Christoph w

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Christoph M. Becker
On 24.10.2016 at 17:19, Rasmus Lerdorf wrote: >>> c. Get some specific people to volunteer to review patches in security >>> repo regularly - how? Any takers? >>> >> OFC it'd be ideal to have some karma holders to participate. And another >> option, which is IMHO eligible - we could invite several

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Jakub Zelenka
On Mon, Oct 24, 2016 at 4:19 PM, Rasmus Lerdorf wrote: > > > > > c. Get some specific people to volunteer to review patches in security > > > repo regularly - how? Any takers? > > > > > OFC it'd be ideal to have some karma holders to participate. And another > > option, which is IMHO eligible - w

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Rasmus Lerdorf
> > > c. Get some specific people to volunteer to review patches in security > > repo regularly - how? Any takers? > > > OFC it'd be ideal to have some karma holders to participate. And another > option, which is IMHO eligible - we could invite several reporters. There > is already a couple of peop

RE: [PHP-DEV] Security issue handling

2016-10-24 Thread Anatol Belski
Hi Stas, Thanks for bringing this up. > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Monday, October 24, 2016 7:16 AM > To: PHP Internals > Subject: [PHP-DEV] Security issue handling > > Hi! > > I'd like to disc

[PHP-DEV] Security issue handling

2016-10-23 Thread Stanislav Malyshev
Hi! I'd like to discuss an issue about security bugs handling. We have a security repo which I and others check into bugs from time to time. The idea is for these to be reviewed by people having access there before we merge them, and then merge after the release. This, however, is not happening