Re: [PHP-DEV] Security issue handling

2016-11-11 Thread Derick Rethans
On Wed, 2 Nov 2016, Joe Watkins wrote: > Morning, > > Stas, consider Leigh vouched for, please add him to sec lists and private > bugs. I've given him karma to look at the security (private) bugs. cheers, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: ht

Re: [PHP-DEV] Security issue handling

2016-11-09 Thread Kalle Sommer Nielsen
2016-11-10 0:43 GMT+01:00 Anatol Belski : > At this point, what were our course of action? Seems there might be multiple > tasks > > - granting the willing devs security karma > - setting up a private CI > - organizing a security team > > It probably would make sense, to make some plan on what is

RE: [PHP-DEV] Security issue handling

2016-11-09 Thread Anatol Belski
Hi, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Saturday, November 5, 2016 8:13 PM > To: Matteo Beccati ; PHP Internals > > Subject: Re: [PHP-DEV] Security issue handling > > Hi! > > > On 24/10/2016 07:16, Stan

Re: [PHP-DEV] Security issue handling

2016-11-06 Thread Leigh
On Sat, 5 Nov 2016 at 19:13 Stanislav Malyshev wrote: > Hi! > > > On 24/10/2016 07:16, Stanislav Malyshev wrote: > >> c. Get some specific people to volunteer to review patches in security > >> repo regularly - how? Any takers? > > > > I'd be happy to help with reviewing and also setting up a pri

Re: [PHP-DEV] Security issue handling

2016-11-05 Thread Stanislav Malyshev
Hi! > On 24/10/2016 07:16, Stanislav Malyshev wrote: >> c. Get some specific people to volunteer to review patches in security >> repo regularly - how? Any takers? > > I'd be happy to help with reviewing and also setting up a private C.I. > to build and run the test suite regularly, if you think

Re: [PHP-DEV] Security issue handling

2016-11-03 Thread Matteo Beccati
Hi, On 24/10/2016 07:16, Stanislav Malyshev wrote: > c. Get some specific people to volunteer to review patches in security > repo regularly - how? Any takers? I'd be happy to help with reviewing and also setting up a private C.I. to build and run the test suite regularly, if you think that's a g

Re: [PHP-DEV] Security issue handling

2016-11-02 Thread Joe Watkins
Morning, Stas, consider Leigh vouched for, please add him to sec lists and private bugs. Cheers Joe On Wed, Nov 2, 2016 at 11:14 AM, Leigh wrote: > On 24 October 2016 at 06:16, Stanislav Malyshev > wrote: > > Hi! > > > > I'd like to discuss an issue about security bugs handling. > > > > We ha

Re: [PHP-DEV] Security issue handling

2016-11-02 Thread Leigh
On 24 October 2016 at 06:16, Stanislav Malyshev wrote: > Hi! > > I'd like to discuss an issue about security bugs handling. > > We have a security repo which I and others check into bugs from time to > time. The idea is for these to be reviewed by people having access there > before we merge them,

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Yasuo Ohgaki
Hi all, On Wed, Nov 2, 2016 at 7:28 AM, Jakub Zelenka wrote: > On Sun, Oct 30, 2016 at 10:09 PM, Stanislav Malyshev > wrote: > > >> >> >> Great, thanks! So besides assigning the issues for the said extensions >> to you, what model for coordinating reviews would you prefer? >> > > I'm not sure wh

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Jakub Zelenka
Hi On Sun, Oct 30, 2016 at 10:09 PM, Stanislav Malyshev wrote: > > > Great, thanks! So besides assigning the issues for the said extensions > to you, what model for coordinating reviews would you prefer? > I'm not sure what the current flow is but it would be great to send info about fixed iss

Re: [PHP-DEV] Security issue handling

2016-11-01 Thread Christoph M. Becker
On 01.11.2016 at 02:39, Anatol Belski wrote: > […] And as a fallback, if no enough reaction is to see, check other > ways to achieve more QA. […] Not directly related to this thread, but to QA in general: could somebody please fix ? The page is down for m

RE: [PHP-DEV] Security issue handling

2016-10-31 Thread Anatol Belski
Hi Stas, > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Sunday, October 30, 2016 11:01 PM > To: Anatol Belski ; 'PHP Internals' > > Subject: Re: [PHP-DEV] Security issue handling > > Hi! > > > release. S

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread 陈亮
Hi, >> OFC it'd be ideal to have some karma holders to participate. And >> another option, which is IMHO eligible - we could invite several >> reporters. There is already a couple of people, who regularly report >> security issues and keep them confident until they're publicly >> disclosed. IMHO i

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread Stanislav Malyshev
Hi! > I would be happy to help with review / fixes especially for json that I > maintain and openssl that I sort of try to maintain too. But I could > also help with review of some other exts if time allows. Great, thanks! So besides assigning the issues for the said extensions to you, what model

Re: [PHP-DEV] Security issue handling

2016-10-30 Thread Stanislav Malyshev
Hi! > release. Say, as we do it now, we tag two days before. It could be > defined, for example, that any security patches intended for release > inclusion, have to be merged into security repo, ported and tested 5 > days before tag. Fe Thursday/Friday in week before final, it is That's nice but

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Kalle Sommer Nielsen
2016-10-24 17:19 GMT+02:00 Rasmus Lerdorf : > As a first step perhaps we just need to expand security@ a bit with the > specific call for volunteers to help review security patches? Maybe we should make the security issues available to those who actively contributes to PHP, like Jakub, Christoph w

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Christoph M. Becker
On 24.10.2016 at 17:19, Rasmus Lerdorf wrote: >>> c. Get some specific people to volunteer to review patches in security >>> repo regularly - how? Any takers? >>> >> OFC it'd be ideal to have some karma holders to participate. And another >> option, which is IMHO eligible - we could invite several

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Jakub Zelenka
On Mon, Oct 24, 2016 at 4:19 PM, Rasmus Lerdorf wrote: > > > > > c. Get some specific people to volunteer to review patches in security > > > repo regularly - how? Any takers? > > > > > OFC it'd be ideal to have some karma holders to participate. And another > > option, which is IMHO eligible - w

Re: [PHP-DEV] Security issue handling

2016-10-24 Thread Rasmus Lerdorf
> > > c. Get some specific people to volunteer to review patches in security > > repo regularly - how? Any takers? > > > OFC it'd be ideal to have some karma holders to participate. And another > option, which is IMHO eligible - we could invite several reporters. There > is already a couple of peop

RE: [PHP-DEV] Security issue handling

2016-10-24 Thread Anatol Belski
Hi Stas, Thanks for bringing this up. > -Original Message- > From: Stanislav Malyshev [mailto:smalys...@gmail.com] > Sent: Monday, October 24, 2016 7:16 AM > To: PHP Internals > Subject: [PHP-DEV] Security issue handling > > Hi! > > I'd like to discuss an issue about security bugs hand