On 17.11.2021 at 13:01, Nikita Popov wrote: > On Mon, Nov 15, 2021 at 9:18 PM Björn Larsson <bjorn.x.lars...@telia.com> > wrote: > >> Den 2021-11-02 kl. 15:19, skrev Nikita Popov: >>> Hi internals, >>> >>> The migration from bugs.php.net to GitHub issues has already been >> discussed >>> in https://externals.io/message/114300 and has already happened for >>> documentation issues. >>> >>> I'd like to formally propose to use GitHub for PHP implementation issues >> as >>> well: https://wiki.php.net/rfc/github_issues >>> >>> Regards, >>> Nikita >>> >> Hi, >> >> The current proposal is to move all new issues from bugs.php.net to >> Github except security ones. >> >> I think it's important to think a bit on what that means for reporting >> security issues in the future. I mean, if we leave bugs.php.net to rot >> in the corner, what are the consequences for reporting security issues? >> >> I think that aspect needs to be a bit further analysed like: >> - Will this move have a negative impact on reporting security issues >> on bugs.php.net? >> # Both from a technical and people perspective. >> - Can one assume that by bugs.php.net having probably even less >> attention, that reporting security issues will work as is? >> - Is there an alternative for also handling security issues? >> >> Think it would be good if the RFC could analyse that a little, besides >> saying business as usual for security issues. > > I don't think there's much more to say than that -- it should indeed be > business as usual. The only complication I see for security issues is that > we will not be able to easily move security issues that turn out to be > non-security bugs over to GitHub. As such, we may have a very low number of > new bugs appearing on bugs.php.net by being reported as security issues > first and being reclassified later. I don't view that as an immediate > problem, because to start with, we'll still be working with recent reports > on bugs.php.net anyway. Longer term, I do hope that GitHub will provide a > way to report issues privately (i.e. as indicated in > https://github.blog/2021-11-12-highlights-github-security-roadmap-universe-2021/), > so that we can consolidate everything in one tracker. But given the lack of > clear roadmap for this, I'm not basing any plans on it yet. > > I do think that the handling of security issues is the weakest part of this > move, and probably the only area where choosing a different platform could > have a tangible advantage. However, we receive orders of magnitude less > security issues than other reports, and there is a much smaller number of > people involved in handling them, so I don't think we need to put too > strong a focus on this aspect.
Right. An alternative might be to let users report security issues to the security mailing list, where, if the issue turns out not to be a security issue, the reporter could still be asked to submit a GH issue about the bug. In that case it might be useful to add more devs to the security mailing list. Christoph -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
