On Thu, Nov 18, 2021 at 2:07 PM Patrick ALLAERT <patrickalla...@php.net> wrote:
> Le mer. 17 nov. 2021 à 13:30, Christoph M. Becker <cmbecke...@gmx.de> a > écrit : > > Right. An alternative might be to let users report security issues to > > the security mailing list, where, if the issue turns out not to be a > > security issue, the reporter could still be asked to submit a GH issue > > about the bug. In that case it might be useful to add more devs to the > > security mailing list. > > I was thinking about the same. Can't we work with security issues with > mailing list *only*? > It doesn't feel optimal to keep bugs.php.net active for just security > ones. > I miss seeing the motivation for it. > The problem with the security mailing list is that it's ephemeral -- someone new can't look at past discussions before they were subscribed. Additionally, it's not possible to make the issue and the whole conversation around it public after the issue has been fixed. Regards, Nikita
