On Mon, Nov 15, 2021 at 9:18 PM Björn Larsson <bjorn.x.lars...@telia.com> wrote:
> Den 2021-11-02 kl. 15:19, skrev Nikita Popov: > > Hi internals, > > > > The migration from bugs.php.net to GitHub issues has already been > discussed > > in https://externals.io/message/114300 and has already happened for > > documentation issues. > > > > I'd like to formally propose to use GitHub for PHP implementation issues > as > > well: https://wiki.php.net/rfc/github_issues > > > > Regards, > > Nikita > > > Hi, > > The current proposal is to move all new issues from bugs.php.net to > Github except security ones. > > I think it's important to think a bit on what that means for reporting > security issues in the future. I mean, if we leave bugs.php.net to rot > in the corner, what are the consequences for reporting security issues? > > I think that aspect needs to be a bit further analysed like: > - Will this move have a negative impact on reporting security issues > on bugs.php.net? > # Both from a technical and people perspective. > - Can one assume that by bugs.php.net having probably even less > attention, that reporting security issues will work as is? > - Is there an alternative for also handling security issues? > > Think it would be good if the RFC could analyse that a little, besides > saying business as usual for security issues. > I don't think there's much more to say than that -- it should indeed be business as usual. The only complication I see for security issues is that we will not be able to easily move security issues that turn out to be non-security bugs over to GitHub. As such, we may have a very low number of new bugs appearing on bugs.php.net by being reported as security issues first and being reclassified later. I don't view that as an immediate problem, because to start with, we'll still be working with recent reports on bugs.php.net anyway. Longer term, I do hope that GitHub will provide a way to report issues privately (i.e. as indicated in https://github.blog/2021-11-12-highlights-github-security-roadmap-universe-2021/), so that we can consolidate everything in one tracker. But given the lack of clear roadmap for this, I'm not basing any plans on it yet. I do think that the handling of security issues is the weakest part of this move, and probably the only area where choosing a different platform could have a tangible advantage. However, we receive orders of magnitude less security issues than other reports, and there is a much smaller number of people involved in handling them, so I don't think we need to put too strong a focus on this aspect. Regards, Nikita