Re: [PHP-DEV] Re: [8.2] Release Manager Election

[Aaron Junker]

Congratulations to Sergei and Pierrick for getting elected.

I wish you and Ben all the best and a great PHP 8.2 release.

Best regards
~Aaron

From: Calvin Buckley 
Sent: Thursday, May 19, 2022 1:55:41 AM
To: Ben Ramsey ; PHP internals 
Subject: Re: [PHP-DEV] Re: [8.2] Release Manager Election

On Wed, 2022-05-18 at 13:45 -0500, Ben Ramsey wrote:
>
> Our 8.2 “rookie” release managers are:
>
> * Sergey Panteleev
> * Pierrick Charron
>
> Congratulations!
>
> Thank you to all the candidates! I hope you’ll consider putting in
> your name for future release manager elections, and as always, PHP
> needs your help in many other ways, so please continue to volunteer
> and help out.
>
> Sergey and Pierrick, I’ll be in touch with you soon to get you
> started on the first alpha release of 8.2, due out on 9 June.

Congratulations to them! I'm glad that 8.2 will be in good hands.

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Re: [8.2] Release Manager Election

[Calvin Buckley]

On Wed, 2022-05-18 at 13:45 -0500, Ben Ramsey wrote:
> 
> Our 8.2 “rookie” release managers are:
> 
> * Sergey Panteleev
> * Pierrick Charron
> 
> Congratulations!
> 
> Thank you to all the candidates! I hope you’ll consider putting in
> your name for future release manager elections, and as always, PHP
> needs your help in many other ways, so please continue to volunteer
> and help out.
> 
> Sergey and Pierrick, I’ll be in touch with you soon to get you
> started on the first alpha release of 8.2, due out on 9 June.

Congratulations to them! I'm glad that 8.2 will be in good hands.

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Early feedback on encrypted session PR

[David CARLIER]

Thanks all for the early feedback.

So it is an attempt to mitigate tampering attacks basically on session
stored on filesystems. So it appears to be a subset of session usage
overall indeed but
doing so in a native manner is what drove the PR.

On Wed, 18 May 2022 at 18:43, Christoph M. Becker  wrote:
>
> On 18.05.2022 at 18:37, Craig Francis wrote:
>
> > On 18 May 2022, at 17:02, Mark Randall  wrote:
> >
> >> Personally I usually just throw the session key through a one-way hash so 
> >> the original session ID never gets written to a backing store.
> >
> > Good idea, but that's not done by default.
>
> But also not by the PR, as I understand it.
>
> >> I'm not sure why reversible encryption needs to take place?
> >
> > It might provide privacy (if the attacker can read the session files, and 
> > they contain sensitive information, e.g. some developers store a copy of 
> > the users entire record in the session to avoid db lookups)... and it might 
> > prevent edits being made to the session file.
>
> It is already possible to write an own SessionHandler which
> encrypts/decrypts the session payload.  That said, I'm not against
> adding an encryption option.
>
> > I would hope both are very rare, but I'm still writing up reports about 
> > developers doing things like `file_put_contents('/tmp/' . $_POST['id'], 
> > $_POST['message'])`, so I don't have a lot of hope.
>
> Right.  And no amount of magic features implemented by a language or
> library will prevent such issues completely.  It might not have been the
> best idea to make PHP so beginner friendly.
>
> --
> Christoph M. Becker
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

[PHP-DEV] Re: [8.2] Release Manager Election

[Sergey Panteleev]

Thanks everyone for yours vote and trust,

Ben and Pierrick, I also looking forward to work with you.

—
wbr,
Sergey Panteleev

Re: [PHP-DEV] Re: [8.2] Release Manager Election

[Pierrick Charron]

Thanks a lot everyone for your trust and congratulations to Sergey and Ben.
I'm looking forward to work with you both.

Pierrick

Le mer. 18 mai 2022, à 14 h 58, Evan Sims via internals <
internals@lists.php.net> a écrit :

> Congratulations Sergei and Pierrick!
>
> Cheers,
> Evan
>
> On May 18, 2022, Ben Ramsey  wrote:
> > > On May 11, 2022, at 09:51, Ben Ramsey  wrote:
> > >
> > > Happy middle of the week, everyone!
> > >
> > > We’ve had another great turn-out for PHP Release Manager selection
> > this year.
> > >
> > > In the role of “Veteran” release manager, Ben Ramsey[0] (that’s me!)
> > has volunteered to mentor two rookies, so there will be two seats up
> > for grabs. As I mentioned in an earlier message, Joe and I discussed
> > that it might be a good practice to have one of the rookie RMs from
> > the current release serve as the veteran for the next release. In this
> > way, any new advances or changes to the process will be carried
> > forward to the “next generation” much more smoothly. So, we’re going
> > to give that a try and see how well it works.
> > >
> > > For those two rookie seats, we’ve got seven eager candidates for
> > your consideration [1-7]. Some of these included a statement about
> > their background in their initial email volunteering for the role, the
> > rest I encourage to reply to this thread providing some background on
> > why they’ll be awesome.
> > >
> > > Voting is now open on https://wiki.php.net/todo/php82 using “Single
> > Transferrable Vote” (STV). Those who participated in prior elections
> > will recognize the format; for the rest, the TL;DR is that it allows
> > each voter to state their preference order by voting multiple times.
> > There are seven polls on the wiki for your seven preferences, in
> > descending order. Using some math that I’ll leave to Wikipedia[8] to
> > explain, we’ll start with the 1st preference and gradually remove
> > candidates with the fewest votes, transferring votes that had
> > previously gone to them to their voter’s 2nd preference, and so on.
> > Once two candidates have a quorum (Droop quota), those will be
> > officially selected as our RMs. Derick Rethans has volunteered to
> > proctor the tabulation of the votes since he still has scripts from
> > last year.
> > >
> > > As you consider each candidate, please bear in mind that this is a
> > 3.5 year commitment and is a position of trust.
> > >
> > > Thank you in advance for your consideration.
> > >
> > > Your 8.1 Release Managers,
> > > Ben Ramsey, Patrick Allaert, & Joe Watkins
> > >
> > > Vote Opens: 11 May 2022
> > > Vote Closes: 18 May 2022
> > >
> > > Refs:
> > > 0 - Ben Ramsey: https://news-web.php.net/php.internals/117664
> > > 1 - Sergey Panteleev: https://news-web.php.net/php.internals/117596
> > > 2 - Evan Sims: https://news-web.php.net/php.internals/117621
> > > 3 - Aaron Junker: https://news-web.php.net/php.internals/117623
> > > 4 - Calvin Buckley: https://news-web.php.net/php.internals/117627
> > > 5 - Eric Mann: https://news-web.php.net/php.internals/117629
> > > 6 - Pierrick Charron: https://news-web.php.net/php.internals/117650
> > > 7 - Saif Eddin Gmati: https://news-web.php.net/php.internals/117702
> > > 8 - https://en.wikipedia.org/wiki/Single_transferable_vote
> > >
> >
> > The polls have closed, and Derick’s scripts have tallied the
> > votes.[^1]
> >
> > Our 8.2 “rookie” release managers are:
> >
> > * Sergey Panteleev
> > * Pierrick Charron
> >
> > Congratulations!
> >
> > Thank you to all the candidates! I hope you’ll consider putting in
> > your name for future release manager elections, and as always, PHP
> > needs your help in many other ways, so please continue to volunteer
> > and help out.
> >
> > Sergey and Pierrick, I’ll be in touch with you soon to get you started
> > on the first alpha release of 8.2, due out on 9 June.
> >
> > Cheers,
> > Ben
> >
> >
> > [^1]: https://gist.github.com/derickr/f13396ce8d9c0ed7bc84a23ba15d5406
>

Re: [PHP-DEV] Early feedback on encrypted session PR

[Eric Mann via internals]

I'm not sure I'm a fan of the PR as it stands, but the idea of 
encrypting session data - definitely.


When sessions are stored on disk, that data is plainly visible by anyone 
(or any process) with read access to that disk. If they're cached 
instead in a DB or an in-memory system like Memcached, the same rules 
apply - anyone else who can read data from that system can read what's 
stored in the session. That being said, how much you care about this 
level of access depends very much on your threat model. If sessions are 
storing data like upvotes or view counts, this information likely isn't 
sensitive enough to worry about whether or not things are encrypted.


If you're storing customer PII in a session, though, then protecting 
this data "at rest" in your session store becomes critical.



It is already possible to write an own SessionHandler which
encrypts/decrypts the session payload.  That said, I'm not against
adding an encryption option.


This is 100% the route I've taken in the past. 
https://github.com/ericmann/sessionz (which I admit needs some updates) 
includes one example SessionHandler implementation that does just that. 
However, it would be fantastic to see this as part of the standard 
library. Session management in PHP can be tricky, particularly in larger 
applications with multiple entry/return points. A standard (read: 
simplified) implementation would go a long way.


--
Security Principles for PHP Applications 


*Eric Mann
* Tekton
*PGP:*0x63F15A9B715376CA 
*P:*503.925.6266
*E:*e...@eamann.com
eamann.com 
ttmm.io 
Twitter icon  LinkedIn icon 

Re: [PHP-DEV] Re: [8.2] Release Manager Election

[Evan Sims via internals]

Congratulations Sergei and Pierrick!

Cheers,
Evan

On May 18, 2022, Ben Ramsey  wrote:
> > On May 11, 2022, at 09:51, Ben Ramsey  wrote:
> > 
> > Happy middle of the week, everyone!
> > 
> > We’ve had another great turn-out for PHP Release Manager selection
> this year.
> > 
> > In the role of “Veteran” release manager, Ben Ramsey[0] (that’s me!)
> has volunteered to mentor two rookies, so there will be two seats up
> for grabs. As I mentioned in an earlier message, Joe and I discussed
> that it might be a good practice to have one of the rookie RMs from
> the current release serve as the veteran for the next release. In this
> way, any new advances or changes to the process will be carried
> forward to the “next generation” much more smoothly. So, we’re going
> to give that a try and see how well it works.
> > 
> > For those two rookie seats, we’ve got seven eager candidates for
> your consideration [1-7]. Some of these included a statement about
> their background in their initial email volunteering for the role, the
> rest I encourage to reply to this thread providing some background on
> why they’ll be awesome.
> > 
> > Voting is now open on https://wiki.php.net/todo/php82 using “Single
> Transferrable Vote” (STV). Those who participated in prior elections
> will recognize the format; for the rest, the TL;DR is that it allows
> each voter to state their preference order by voting multiple times.
> There are seven polls on the wiki for your seven preferences, in
> descending order. Using some math that I’ll leave to Wikipedia[8] to
> explain, we’ll start with the 1st preference and gradually remove
> candidates with the fewest votes, transferring votes that had
> previously gone to them to their voter’s 2nd preference, and so on.
> Once two candidates have a quorum (Droop quota), those will be
> officially selected as our RMs. Derick Rethans has volunteered to
> proctor the tabulation of the votes since he still has scripts from
> last year.
> > 
> > As you consider each candidate, please bear in mind that this is a
> 3.5 year commitment and is a position of trust.
> > 
> > Thank you in advance for your consideration.
> > 
> > Your 8.1 Release Managers,
> > Ben Ramsey, Patrick Allaert, & Joe Watkins
> > 
> > Vote Opens: 11 May 2022
> > Vote Closes: 18 May 2022
> > 
> > Refs:
> > 0 - Ben Ramsey: https://news-web.php.net/php.internals/117664
> > 1 - Sergey Panteleev: https://news-web.php.net/php.internals/117596
> > 2 - Evan Sims: https://news-web.php.net/php.internals/117621
> > 3 - Aaron Junker: https://news-web.php.net/php.internals/117623
> > 4 - Calvin Buckley: https://news-web.php.net/php.internals/117627
> > 5 - Eric Mann: https://news-web.php.net/php.internals/117629
> > 6 - Pierrick Charron: https://news-web.php.net/php.internals/117650
> > 7 - Saif Eddin Gmati: https://news-web.php.net/php.internals/117702
> > 8 - https://en.wikipedia.org/wiki/Single_transferable_vote
> > 
>
> The polls have closed, and Derick’s scripts have tallied the
> votes.[^1]
>
> Our 8.2 “rookie” release managers are:
>
> * Sergey Panteleev
> * Pierrick Charron
>
> Congratulations!
>
> Thank you to all the candidates! I hope you’ll consider putting in
> your name for future release manager elections, and as always, PHP
> needs your help in many other ways, so please continue to volunteer
> and help out.
>
> Sergey and Pierrick, I’ll be in touch with you soon to get you started
> on the first alpha release of 8.2, due out on 9 June.
>
> Cheers,
> Ben
>
>
> [^1]: https://gist.github.com/derickr/f13396ce8d9c0ed7bc84a23ba15d5406

[PHP-DEV] Re: [8.2] Release Manager Election

[Ben Ramsey]

> On May 11, 2022, at 09:51, Ben Ramsey  wrote:
> 
> Happy middle of the week, everyone!
> 
> We’ve had another great turn-out for PHP Release Manager selection this year.
> 
> In the role of “Veteran” release manager, Ben Ramsey[0] (that’s me!) has 
> volunteered to mentor two rookies, so there will be two seats up for grabs. 
> As I mentioned in an earlier message, Joe and I discussed that it might be a 
> good practice to have one of the rookie RMs from the current release serve as 
> the veteran for the next release. In this way, any new advances or changes to 
> the process will be carried forward to the “next generation” much more 
> smoothly. So, we’re going to give that a try and see how well it works.
> 
> For those two rookie seats, we’ve got seven eager candidates for your 
> consideration [1-7]. Some of these included a statement about their 
> background in their initial email volunteering for the role, the rest I 
> encourage to reply to this thread providing some background on why they’ll be 
> awesome.
> 
> Voting is now open on https://wiki.php.net/todo/php82 using “Single 
> Transferrable Vote” (STV). Those who participated in prior elections will 
> recognize the format; for the rest, the TL;DR is that it allows each voter to 
> state their preference order by voting multiple times. There are seven polls 
> on the wiki for your seven preferences, in descending order. Using some math 
> that I’ll leave to Wikipedia[8] to explain, we’ll start with the 1st 
> preference and gradually remove candidates with the fewest votes, 
> transferring votes that had previously gone to them to their voter’s 2nd 
> preference, and so on. Once two candidates have a quorum (Droop quota), those 
> will be officially selected as our RMs. Derick Rethans has volunteered to 
> proctor the tabulation of the votes since he still has scripts from last year.
> 
> As you consider each candidate, please bear in mind that this is a 3.5 year 
> commitment and is a position of trust.
> 
> Thank you in advance for your consideration.
> 
> Your 8.1 Release Managers,
> Ben Ramsey, Patrick Allaert, & Joe Watkins
> 
> Vote Opens: 11 May 2022
> Vote Closes: 18 May 2022
> 
> Refs:
> 0 - Ben Ramsey: https://news-web.php.net/php.internals/117664
> 1 - Sergey Panteleev: https://news-web.php.net/php.internals/117596
> 2 - Evan Sims: https://news-web.php.net/php.internals/117621
> 3 - Aaron Junker: https://news-web.php.net/php.internals/117623
> 4 - Calvin Buckley: https://news-web.php.net/php.internals/117627
> 5 - Eric Mann: https://news-web.php.net/php.internals/117629
> 6 - Pierrick Charron: https://news-web.php.net/php.internals/117650
> 7 - Saif Eddin Gmati: https://news-web.php.net/php.internals/117702
> 8 - https://en.wikipedia.org/wiki/Single_transferable_vote
> 

The polls have closed, and Derick’s scripts have tallied the votes.[^1]

Our 8.2 “rookie” release managers are:

* Sergey Panteleev
* Pierrick Charron

Congratulations!

Thank you to all the candidates! I hope you’ll consider putting in your name 
for future release manager elections, and as always, PHP needs your help in 
many other ways, so please continue to volunteer and help out.

Sergey and Pierrick, I’ll be in touch with you soon to get you started on the 
first alpha release of 8.2, due out on 9 June.

Cheers,
Ben


[^1]: https://gist.github.com/derickr/f13396ce8d9c0ed7bc84a23ba15d5406



signature.asc
Description: Message signed with OpenPGP

Re: [PHP-DEV] Early feedback on encrypted session PR

[Christoph M. Becker]

On 18.05.2022 at 18:37, Craig Francis wrote:

> On 18 May 2022, at 17:02, Mark Randall  wrote:
>
>> Personally I usually just throw the session key through a one-way hash so 
>> the original session ID never gets written to a backing store.
>
> Good idea, but that's not done by default.

But also not by the PR, as I understand it.

>> I'm not sure why reversible encryption needs to take place?
>
> It might provide privacy (if the attacker can read the session files, and 
> they contain sensitive information, e.g. some developers store a copy of the 
> users entire record in the session to avoid db lookups)... and it might 
> prevent edits being made to the session file.

It is already possible to write an own SessionHandler which
encrypts/decrypts the session payload.  That said, I'm not against
adding an encryption option.

> I would hope both are very rare, but I'm still writing up reports about 
> developers doing things like `file_put_contents('/tmp/' . $_POST['id'], 
> $_POST['message'])`, so I don't have a lot of hope.

Right.  And no amount of magic features implemented by a language or
library will prevent such issues completely.  It might not have been the
best idea to make PHP so beginner friendly.

--
Christoph M. Becker

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Early feedback on encrypted session PR

[Craig Francis]

On 18 May 2022, at 17:02, Mark Randall  wrote:
> Personally I usually just throw the session key through a one-way hash so the 
> original session ID never gets written to a backing store.


Good idea, but that's not done by default.


> I'm not sure why reversible encryption needs to take place?



It might provide privacy (if the attacker can read the session files, and they 
contain sensitive information, e.g. some developers store a copy of the users 
entire record in the session to avoid db lookups)... and it might prevent edits 
being made to the session file.

I would hope both are very rare, but I'm still writing up reports about 
developers doing things like `file_put_contents('/tmp/' . $_POST['id'], 
$_POST['message'])`, so I don't have a lot of hope.

Craig

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Early feedback on encrypted session PR

[Mark Randall]

On 18/05/2022 16:23, Craig Francis wrote:

If the Session ID continued to work as the Identifier, but the client was given 
the Session ID and a Random Key (could be concatenated together for the 
cookie)... that means the Random Key would not be stored on the server, and 
could protect the session if there was a vulnerability on the server/website 
(e.g. attacker being able to see the directory listing of session files)... I'm 
not sure how much of a benefit that will actually provide, vs the risk of it 
going wrong (e.g. future PHP changing encryption algorithm).



Personally I usually just throw the session key through a one-way hash 
so the original session ID never gets written to a backing store.


I'm not sure why reversible encryption needs to take place?

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Early feedback on encrypted session PR

[Craig Francis]

On 17 May 2022, at 23:11, Mark Randall  wrote:
> On 17/05/2022 21:36, David CARLIER wrote:
>> I wanted a more general but early feedback on the idea itself
>> https://github.com/php/php-src/pull/3759
> 
> What is the motivation? What is it meant to achieve?


If the Session ID continued to work as the Identifier, but the client was given 
the Session ID and a Random Key (could be concatenated together for the 
cookie)... that means the Random Key would not be stored on the server, and 
could protect the session if there was a vulnerability on the server/website 
(e.g. attacker being able to see the directory listing of session files)... I'm 
not sure how much of a benefit that will actually provide, vs the risk of it 
going wrong (e.g. future PHP changing encryption algorithm).

Craig

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php