PSR-9 and 10 thoughts
276 views
Skip to first unread message
Korvin Szanto
Aug 14, 2015, 4:48:39 PM8/14/15
to php...@googlegroups.com
I reviewed the current state of the PSR 9 and PSR 10 proposals and noticed that we don't address researcher credit and PGP.
I see that we have "author" which I imagine is to credit the security researcher, but could also be interpreted to credit the person who resolved the security issue. I think we should make a distinction between these two and offer the ability to provide not only "author" but "reported by", "fixed by", and "verified by". With PGP, I would like to see "SHOULD provide a public PGP key for mail encryption".
What do you guys think?
Marco Pivetta
Aug 15, 2015, 5:38:33 AM8/15/15
to php...@googlegroups.com
Strong +1. I also contacted many FIG projects in the past: most are dangerously unaware that security communications should go through GPG encryption.
--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/CANeXGWXMM6poxeFh8vnNhveytTVc%3D%2BhTLV2xX_%3Di6haFGi5pcg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Alexander Makarov
Aug 15, 2015, 5:14:10 PM8/15/15
to PHP Framework Interoperability Group
+1
Matteo Beccati
Aug 16, 2015, 4:54:20 AM8/16/15
to php...@googlegroups.com
Hi,
On 15/08/2015 11:38, Marco Pivetta wrote:
> Strong +1. I also contacted many FIG projects in the past: most are
> dangerously unaware that security communications should go through GPG
> encryption.
In over 10 years I've been asked to exchange PGP/GPG keys 3 times, going
from memory. Most of the times the researchers dumped the info directly
to the security email address.
I agree that ideally all the communication should happen over a secure
channel, but in reality that doesn't happen because the majority of
reports (in my limited experience, ofc) are sent directly without
requesting the key exchange.
That said, I'd be happy to promote its usage, even if ultimately it's
not something the projects can't control.
Also, but as a project we are currently evaluating the HackerOne
platform. At some point we'll switch from invite-only to public and we
won't be promoting direct emails to security@ anymore, although we'll
keep the email address, of course. It would be nice is PSR-9 also
supported 3rd-party platforms, whose popularity seems to be growing.
Cheers
--
Matteo Beccati
Development & Consulting - http://www.beccati.com/
On 15/08/2015 11:38, Marco Pivetta wrote:
> Strong +1. I also contacted many FIG projects in the past: most are
> dangerously unaware that security communications should go through GPG
> encryption.
from memory. Most of the times the researchers dumped the info directly
to the security email address.
I agree that ideally all the communication should happen over a secure
channel, but in reality that doesn't happen because the majority of
reports (in my limited experience, ofc) are sent directly without
requesting the key exchange.
That said, I'd be happy to promote its usage, even if ultimately it's
not something the projects can't control.
Also, but as a project we are currently evaluating the HackerOne
platform. At some point we'll switch from invite-only to public and we
won't be promoting direct emails to security@ anymore, although we'll
keep the email address, of course. It would be nice is PSR-9 also
supported 3rd-party platforms, whose popularity seems to be growing.
Cheers
--
Matteo Beccati
Development & Consulting - http://www.beccati.com/
Korvin Szanto
Aug 16, 2015, 6:10:25 PM8/16/15
to php...@googlegroups.com
I agree that it is rare that security researchers use our public pgp key, but we should still provide support for projects that want to provide it. That's why I suggest we add it as SHOULD instead of MUST.
Dropping support for email reports in favor of a modern service is a good thing to bring up, we might have to make these email items optional?
Dropping support for email reports in favor of a modern service is a good thing to bring up, we might have to make these email items optional?
--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/55D04FB4.8050803%40beccati.com.
Lukas Kahwe Smith
Aug 17, 2015, 4:22:58 AM8/17/15
to php...@googlegroups.com
> On 17 Aug 2015, at 00:10, Korvin Szanto <korvin...@gmail.com> wrote:
>
> I agree that it is rare that security researchers use our public pgp key, but we should still provide support for projects that want to provide it. That's why I suggest we add it as SHOULD instead of MUST.
>
> Dropping support for email reports in favor of a modern service is a good thing to bring up, we might have to make these email items optional?
regards,
Lukas Kahwe Smith
sm...@pooteeweet.org
Lukas Kahwe Smith
Aug 17, 2015, 4:23:28 AM8/17/15
to php...@googlegroups.com
> I see that we have "author" which I imagine is to credit the security researcher, but could also be interpreted to credit the person who resolved the security issue. I think we should make a distinction between these two and offer the ability to provide not only "author" but "reported by", "fixed by", and "verified by".
Korvin Szanto
Aug 18, 2015, 7:37:53 PM8/18/15
to php...@googlegroups.com
Submitted a pull request: https://github.com/php-fig/fig-standards/pull/603
--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+u...@googlegroups.com.
To post to this group, send email to php...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/ADF76ACB-EB4F-4488-91B7-A746E0A56426%40pooteeweet.org.
Lukas Kahwe Smith
Aug 19, 2015, 5:08:00 AM8/19/15
to php...@googlegroups.com
> On 19 Aug 2015, at 01:37, Korvin Szanto <korvin...@gmail.com> wrote:
>
> Submitted a pull request: https://github.com/php-fig/fig-standards/pull/603
Lukas Kahwe Smith
Sep 29, 2015, 10:05:48 AM9/29/15
to php...@googlegroups.com
> On 19 Aug 2015, at 11:07, Lukas Kahwe Smith <sm...@pooteeweet.org> wrote:
>
>
>> On 19 Aug 2015, at 01:37, Korvin Szanto <korvin...@gmail.com> wrote:
>>
>> Submitted a pull request: https://github.com/php-fig/fig-standards/pull/603
>
> thanks .. looks good to me!
https://github.com/php-fig/fig-standards/pull/635
Dracony
Sep 29, 2015, 12:51:58 PM9/29/15
to PHP Framework Interoperability Group
A separate infrastructure would be a great idea. There is so much great things to be done with centralized tools like these. Especially for displaying researcher credit later on. Getting on that list would be a great incentive for PHP companies dealing with security auditing etc.
And thus bring free workpower to opensource
Message has been deleted
Michael Cullum
Sep 8, 2017, 4:34:21 PM9/8/17
to FIG, PHP
Apologies for the recent spam; unfortunately there's not a huge amount we can do other than be reactionary to such things due to the platform. I've banned the user in question and deleted their messages from Google groups.
Many thanks,
Michael
On 8 Sep 2017 8:43 pm, <richr...@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "PHP Framework Interoperability Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig/bb147f69-cd82-481c-9b9b-e9eea72beedf%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages