Ferenc Kovacs <tyr...@gmail.com> wrote: >private bugs can be only accessed by the php security team and some >security >people from vendors: >http://git.php.net/?p=web/bugs.git;a=blob;f=include/trusted-devs.php >I think >that private bugs like that should be made public after the >fixed >version >release, just like others do the same: >https://bugzilla.redhat.com/show_bug.cgi?id=964969 >usually searching for a CVE number on google works (after the fix is >>released).
Yes, they should be made public. Not doing this is a process issue. Could anybody create a script we can run during release publishing and checking all NEWS entries and checks all bugs are public? Would be great. (Perfect would be if that script would also translate NEWS to HTML, see README.RELEASE_PROCESS for HTML requirements .. even beter would be generating NEWS from commit messages ... but small steps help already) johannes
