Re: [PHP-DEV] Re: Security e-mail address
we were going to set up [EMAIL PROTECTED] at one point with a closed list of recieptients.. mainly core devs and a few QA People who can check out if it is a security problem or not. Dont think this ever happen. Perhaps it would be an idea though - James - Original Message - From: Rasmus Lerdorf [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Cc: Flavio Veloso [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, October 06, 2001 2:21 AM Subject: [PHP-DEV] Re: Security e-mail address Oh Jani, relax. He wanted somewhere non-public. php-dev is archived everywhere as is [EMAIL PROTECTED] group@ is the only non-archived address. If there is a real problem we will most definitely forward it to php-dev, but if someone asks for a private contact address I give the only one we have. Most of these are false alarms anyway. -Rasmus On Sat, 6 Oct 2001, Jani Taskinen wrote: What's wrong with php-dev? IIRC the [EMAIL PROTECTED] handles only administration of the site and stuff.. There can't be anything that fatal that all the people subscribed to php-dev shouldn't see. Or has PHP suddenly changed into closed-source? --Jani On Fri, 5 Oct 2001, Rasmus Lerdorf wrote: use [EMAIL PROTECTED] please On Fri, 5 Oct 2001, Flavio Veloso wrote: Hi Webmaster. Is there any mail address that can be used to discuss security issues related to PHP? We know that we could use your bug tracking system to report problems, but it doesn't seem appropriate to disclose a security bug before PHP developers have a chance to look at it. We are a Linux and network security research company that lives in Brazil. Maybe we have discovered a problem which has some security implications. We are not completely sure if it's a bug in PHP (and how to solve it, even if it isn't), and would like to share it with the PHP people privately. BTW, sorry to bother you with this, but your mail address was the only one I could find on the www.php.net website. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Security e-mail address
we were going to set up [EMAIL PROTECTED] at one point with a closed list of recieptients.. mainly core devs and a few QA People who can check out if it is a security problem or not. Dont think this ever happen. Perhaps it would be an idea though +1 Goba -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Re: Security e-mail address
Oh Jani, relax. He wanted somewhere non-public. php-dev is archived everywhere as is [EMAIL PROTECTED] group@ is the only non-archived address. If there is a real problem we will most definitely forward it to php-dev, but if someone asks for a private contact address I give the only one we have. Most of these are false alarms anyway. -Rasmus On Sat, 6 Oct 2001, Jani Taskinen wrote: What's wrong with php-dev? IIRC the [EMAIL PROTECTED] handles only administration of the site and stuff.. There can't be anything that fatal that all the people subscribed to php-dev shouldn't see. Or has PHP suddenly changed into closed-source? --Jani On Fri, 5 Oct 2001, Rasmus Lerdorf wrote: use [EMAIL PROTECTED] please On Fri, 5 Oct 2001, Flavio Veloso wrote: Hi Webmaster. Is there any mail address that can be used to discuss security issues related to PHP? We know that we could use your bug tracking system to report problems, but it doesn't seem appropriate to disclose a security bug before PHP developers have a chance to look at it. We are a Linux and network security research company that lives in Brazil. Maybe we have discovered a problem which has some security implications. We are not completely sure if it's a bug in PHP (and how to solve it, even if it isn't), and would like to share it with the PHP people privately. BTW, sorry to bother you with this, but your mail address was the only one I could find on the www.php.net website. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DEV] Re: Security e-mail address
So what's wrong in keeping them public? If they are false alarms, why not keep them public and show all other people who think they found serious security related bugs that they are wrong? If it's opensource KEEP it open. There can't be any closed 'groups' which get some info in this kind of projects. If there are, it's no longer opensource..IMO. Two issues: 1. A private correspondence channel was requested. You are saying there cannot be private communications in open source? Believe me there is plenty of private communications going on in all the various open source projects and it doesn't make them any less open source. Telling someone that they are not allowed to communicate with members of the PHP development team in a private manner makes no sense. Perhaps we need a [EMAIL PROTECTED] private mailing list for this instead where only people with php-dev cvs accounts can subscribe and either not archive or at least delay the archiving of messages to the list by a couple of weeks. 2. If this is indeed a big security hole we have to treat it in a responsible manner. We need to communicate the problem as quickly as possible *along with the fix*. It is common practice, bugtraq and elsewhere, to not publically announce security issues without an accompanying fix so that you aren't giving the black hats a big window of time to exploit the security hole. That doesn't mean we can just sit on a security issue, we have to address it in a timely manner, but I see nothing wrong with limiting the distribution list and certainly not immediately injecting an exploit into every search engine in the world. -Rasmus -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Security e-mail address
Jani Taskinen wrote: So what's wrong in keeping them public? If they are false alarms, why not keep them public and show all other people who think they found serious security related bugs that they are wrong? If it's opensource KEEP it open. There can't be any closed 'groups' which get some info in this kind of projects. If there are, it's no longer opensource..IMO. Even for open source projects, it is good practice to keep security issues closed until a fix has been released. As long as there is no fix, making it public won't help anyone except the black hats. IMO. And possible security issues shouldn't be considered bogus by default. regards Wagner -- Ein Mathematiker ist eine Maschine, die Kaffee in Theoreme verwandelt. Paul Erdös, Mathematiker, 1913-1996 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Security e-mail address
someone that they are not allowed to communicate with members of the PHP development team in a private manner makes no sense. Perhaps we need a [EMAIL PROTECTED] private mailing list for this instead where only people with php-dev cvs accounts can subscribe and either not archive or at least delay the archiving of messages to the list by a couple of weeks. Excellent idea. This is exactly something we really need. A private address which is not limited to 10 persons or so. What did Linus say again..enough eyes and all bugs are..something? I'm really not all that worried about having the ability to fix issues in the small group or at least understanding the issue and bringing in the appropriate people privately to come up with a fix. So the number of people receiving that initial email really doesn't worry me. Heck it could be a single person we designate to be the security officer and rotate that responsibility. It isn't that hard to figure out who wrote a specific piece and if you have been around a while you know the people who are likely to be able to provide some insight. Also, the other issue are the so called 'script kiddies'..so you're right in this. Yes, the majority of the attacks out there are really not very advanced. Just some kid who downloads an exploit from somewhere. If we can make a bit harder for these kids, we should. -Rasmus -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Security e-mail address
At 04:36 06-10-01, Rasmus Lerdorf wrote: Jani said: Excellent idea. This is exactly something we really need. A private address which is not limited to 10 persons or so. What did Linus say again..enough eyes and all bugs are..something? I'm really not all that worried about having the ability to fix issues in the small group or at least understanding the issue and bringing in the appropriate people privately to come up with a fix. So the number of people receiving that initial email really doesn't worry me. Heck it could be a single person we designate to be the security officer and rotate that responsibility. It isn't that hard to figure out who wrote a specific piece and if you have been around a while you know the people who are likely to be able to provide some insight. The number of people who get to see it does worry me - it has to be reasonably small to be manageable, which is why I think that the way it works today is pretty good (such reports go to group@, adding [EMAIL PROTECTED] is a good idea too, I don't like the security-officer idea too much though). This can't be an open-forum such as php-dev either, for obvious reasons. The 'enough eyeballs' rule doesn't apply here, at least it doesn't apply in many cases. If something is safe enough to be sent out in the open in php-dev, no problem. If it's a bad bug, e.g., a remotely exploitable bug, fixing it silently, involving only the people who are related to the faulty code, is probably the best practice. Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]