On 24 October 2016 at 06:16, Stanislav Malyshev <smalys...@gmail.com> wrote: > Hi! > > I'd like to discuss an issue about security bugs handling. > > We have a security repo which I and others check into bugs from time to > time. The idea is for these to be reviewed by people having access there > before we merge them, and then merge after the release. > > This, however, is not happening at all. The patches, as far as I know, > are not reviewed at all, and merging a bunch of patches last minute with > no review is extremely dangerous. I am trying my best with my patches, > but I'm only human, and I feel increasingly uncomfortable having so many > unreviewed patches in the release. > > So, how we can fix it? > > a. We could merge some of the patches on RC stage, even though that > might expose some issues. > b. We could somehow improve review mechanism beyond security repo we > have now - ideas? > c. Get some specific people to volunteer to review patches in security > repo regularly - how? Any takers? > > Would like to hear thoughts on this one. > -- > Stas Malyshev > smalys...@gmail.com
Hey Stas, If it's extra volunteers that you need, I would also be happy to help out where I can, investigating reported issues, writing and reviewing patches. * I have a provable interest in security * I've submitted security issues (to PHP and other projects) in the past * I have worked on security features for the PHP runtime in the past * I already have karma \o/ Regards, Leigh. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php