summarizing the current state of discussion

[Lukas Kahwe Smith]

Aloha,

I think we have a pretty decent state now with our discussions that it would be time to start summarizing our findings into the PSR-9 documents. I will try to set aside some time over the weekend to work on this, but welcome any support I can get from you guys. I guess the best course of action is that you all send PRs to my fork, so that I can bundle all changes into a single PR to the fig repo.

regards,
Lukas

[enygma]

Any progress made on this one?

-chris

[Lukas Kahwe Smith]

> On 22 Dec 2014, at 20:59, Lukas Smith <sm...@pooteeweet.org> wrote:
>
> no. but I have allocated a few hours each for the next two days.

ok .. sat my ass down finally for an hour:
https://github.com/php-fig/fig-standards/pulls/lsmith77

still needs a ton of work.
I will go over all emails once more to ensure I didn’t miss anything.
I already made a few “calls” already, using Atom as the basis, requiring a URL and discouraging use of VCS for disclosures. But of course nothing is set in stone yet.

will try to do some more tomorrow and of course I invite you all to contribute :)

regards,
Lukas Kahwe Smith
sm...@pooteeweet.org

[Pádraic Brady]

Great!

I'll have to wait until after the unwrapping-presents time of the year
before chipping in though. Or perhaps it's the wheel-unwrapping
festival? My dad has bought new tires and I'm guessing they are
sitting outside in MY garage for a reason!

Paddy

> --
> You received this message because you are subscribed to the Google Groups "php-fig-psr-9-discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to php-fig-psr-9-disc...@googlegroups.com.
> To post to this group, send email to php-fig-psr-...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig-psr-9-discussion/EE4C23C2-622E-40A5-A4BF-DB98A8748504%40pooteeweet.org.
> For more options, visit https://groups.google.com/d/optout.



--

--
Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative

[Chris Cornutt]

yup, about the same here between travel and the big day(s). no tires in my future though :)

happy holidays,

-chris

To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig-psr-9-discussion/CALwr1G%3DPXZgdrzpO1FKPOrWwVgYCga9VgODtdTyV5VrNevuKFQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Senior Editor
PHPDeveloper.org
ccor...@phpdeveloper.org

@enygma

[Lukas Kahwe Smith]

> On 24 Dec 2014, at 02:37, Chris Cornutt <eny...@phpdeveloper.org> wrote:
>
> yup, about the same here between travel and the big day(s). no tires in my future though :)
>
> happy holidays,
> -chris
>
> On Tue, Dec 23, 2014 at 4:52 PM, Pádraic Brady <padrai...@gmail.com> wrote:
> Great!
>
> I'll have to wait until after the unwrapping-presents time of the year
> before chipping in though. Or perhaps it's the wheel-unwrapping
> festival? My dad has bought new tires and I'm guessing they are
> sitting outside in MY garage for a reason!

looking forward to your feedback.
I must admit I never extended Atom before and noticing my XML-foo has suffered over the years :)

One interesting idea I got while writing is that imho it would be kind of cool if especially smaller libraries could just reference PSR-9 instead of having their own dedicated page for the security process. This means that PSR-9 would provide “defaults” for contact information etc from which users can just infer the email address .. or maybe it would boil down to “we follow PSR-9 and our email for security stuff is X”. in general security processes could also just be a reference to PSR-9 plus a delta of everything that is different (ie. not following optional stuff) or expanded.

[Lukas Kahwe Smith]

*nudge* :)

[enygma]

Sorry about that - the holidays look their tool on my time :)

The current docs are looking good, a few suggestions:

1. In the "Security Disclosure Process" section, that "...?" could be replaced with a brief summary of responsible disclosure practices. Things like not posting a public PR/Issue about the problem, contacting the security team first, a reasonable amount of time before the issue is publicly disclosed, etc.
2. Is an example of a document going to be provided as a part of the spec?

-chris

[Lukas Kahwe Smith]

> On 05 Jan 2015, at 17:31, enygma <eny...@phpdeveloper.org> wrote:
>
> Sorry about that - the holidays look their tool on my time :)
> The current docs are looking good, a few suggestions:
>
> 1. In the "Security Disclosure Process" section, that "...?" could be replaced with a brief summary of responsible disclosure practices. Things like not posting a public PR/Issue about the problem, contacting the security team first, a reasonable amount of time before the issue is publicly disclosed, etc.

the “…?” is just a place holder of course and should indeed be filled with sensible content :)

> 2. Is an example of a document going to be provided as a part of the spec?

again, the goal that I tried to achieve is that a library author can essentially reduce their security procedures to:

"I follow PSR-9"

or maybe

"I follow PSR-9 and my contact email is security@org"

[enygma]

Is this not indicated by defining the document? Other than that and the security@ email address, what other things would the scope of PSR-9 include?

[Lukas Kahwe Smith]

not sure I follow.

PSR-9 currently has the scope of defining:

1) Security Disclosure Process Discovery
2) Security Disclosure Process
3) Disclosure Discovery
4) Disclosure Format

For all but 2), the current draft is already somewhat detailed. For 2) I would expect stuff like what time interval can be expected for responses etc. So all of that is clearly still missing.

[enygma]

Er, sorry - probably not the best wording on my part. I was mixing the two things (the documentation and the process) in my head and trying to think of what else "external" would be needed for the process, like the email address. Additionally, do you think we need to provide a good example of a bug report? Might be out of the scope of the doc, but it could be a helpful baseline.

[Lukas Kahwe Smith]

well I think we can certainly have a suggested example bug report in the 2) section.

BTW we might still decide in the end to split 1/2) and 3/4) into separate PSRs

[matteo.beccati]

Hi everyone,

I'm a bit late to the party... I didn't actually realize until a few days ago that the discussions onm PSR-9 did already start.

I'd love to give my own little contribution to this PSR if I can. I've published my first security advisory for phpAdsNew almost 10yrs ago and during the years it's mosly been me fixing the issues that had been reported and disclosing the information in a sensible manner.

First of all let me say that Lukas (and whoever else contributed) did a great job so far! The PR looks very promising!

I'd personally vote for the separation of the security process and discovery "service" into separate PSR documents. I think the discovery service/format is extremely interesting, but its audience is probably more limited (very useful for libraries, a bit less for the "big" projects that are distributed via zip files).

If you think it's useful, in the coming days I will share the procedures that I usually follow.

I also have a few little suggestions to make for the PR and I'm not sure if it's best to add inline comments to the PR or send them here.


Cheers

[Lukas Kahwe Smith]

it seems like most people are busy with other stuff. I think the current state isn’t ideal to bring it back to the main list for discussion but as things are stalled here atm .. maybe its still better to do this to get things moving again ..

[enygma]

Okay, sorry for being a bit lax on this...been a busy start to the new year :) I agree with the motion to split them up. It seems like they could benefit from having a bit more focus (single responsibility principle? heh). I think they're also a good compliment that way, one grouping leading to the other (security disclosure results in the definition being used to report it and so on).

-chris

[Larry Garfield]

+1 to splitting this into a "process PSR" and a "technical PSR".

--Larry Garfield

--
You received this message because you are subscribed to the Google Groups "php-fig-psr-9-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to php-fig-psr-9-disc...@googlegroups.com.
To post to this group, send email to php-fig-psr-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig-psr-9-discussion/73820831-b3e1-4e69-915e-03b6459e5f56%40googlegroups.com.

[Lukas Kahwe Smith]

> On 19 Jan 2015, at 21:31, Larry Garfield <la...@garfieldtech.com> wrote:
>
> +1 to splitting this into a "process PSR" and a "technical PSR".
>
> --Larry Garfield
>
>> On 01/19/2015 10:01 AM, enygma wrote:
>> Okay, sorry for being a bit lax on this...been a busy start to the new year :) I agree with the motion to split them up. It seems like they could benefit from having a bit more focus (single responsibility principle? heh). I think they're also a good compliment that way, one grouping leading to the other (security disclosure results in the definition being used to report it and so on).
>

should we do this now already or wait until the document is more mature?
I guess we then need to ask for another PSR number?

regards,
Lukas

[enygma]

I think doing it now is a good way to go - there's already a pretty good start on the docs as is, enough to make the split.

 

regards,
Lukas

[Lukas Kahwe Smith]

> On 27 Jan 2015, at 17:42, enygma <eny...@phpdeveloper.org> wrote:

> I think doing it now is a good way to go - there's already a pretty good start on the docs as is, enough to make the split.

OK .. I have updated https://github.com/php-fig/fig-standards/pull/393

[enygma]

On Sunday, February 8, 2015 at 11:11:32 AM UTC-5, Lukas Kahwe Smith wrote:

> On 27 Jan 2015, at 17:42, enygma <eny...@phpdeveloper.org> wrote:

> I think doing it now is a good way to go - there's already a pretty good start on the docs as is, enough to make the split.

OK .. I have updated https://github.com/php-fig/fig-standards/pull/393

Looks good - I know we've been bad about keeping the momentum going here, but I want to get these two rolling and up for consideration. Lukas, where do you think we're at....what steps are left after the split?

[Lukas Kahwe Smith]

I think the main step is getting another PSR number. From my understanding this would be the job of the sponsors. Afaik Korvin did the initial PSR-9 call for vote. Maybe Larry can do it for this second PSR number?

regards,

Lukas

[Larry Garfield]

I'm happy to act as the Coordinator for the data format fork with Korvin as the Sponsor if he's up for it. (That would be inverse of what we are on PSR-9, which would become just the policies/process PSR, right?)

Korvin?  And who would be the Editor?  (Forgive me if we discussed this a few weeks ago and I've just forgotten.)

--Larry Garfield

[enygma]

Are we stalling out here? I'd really like to see this keep moving forward but it seems like we haven't had much activity since mid-February.

@all, what are the next steps? We have the base to work from so I know it can be refined and ready for viewing by the larger FIG group...

-chris

[Lukas Kahwe Smith]

> On 15 Mar 2015, at 15:46, enygma <eny...@phpdeveloper.org> wrote:
>
> Are we stalling out here? I'd really like to see this keep moving forward but it seems like we haven't had much activity since mid-February.
> @all, what are the next steps? We have the base to work from so I know it can be refined and ready for viewing by the larger FIG group...

I have just returned from playing the frisbee world championships and this topic is now back on the top of my OSS agenda. indeed we are stalling mostly on the need to get another PSR number. Korvin did the original vote and I was hoping to get him to do it for this additional PSR number too .. but I guess lets not get bogged down on this. Who is up for calling for a vote for this additional PSR?

regards,
Lukas

[Larry Garfield]

Are you willing to be the Editor for both? We need the core WG defined
before the vote can be called. (I am the Sponsor for PSR-9, and offered
to be Sponsor or Coordinator for PSR-9b, but we need to confirm the
other two.)

--Larry Garfield

[Lukas Kahwe Smith]

I am willing to be the editor for both unless someone else really wants to.

regards,
Lukas

[Korvin Szanto]

I didn't see this email until today!

I'm spending some time getting caught up with the current state of PSR-9, I'd like to be more involved in the discussion moving forward and would love to sponsor 9b.

--
You received this message because you are subscribed to the Google Groups "php-fig-psr-9-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to php-fig-psr-9-discussion+unsub...@googlegroups.com.
To post to this group, send email to php-fig-psr-9-discussion@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/php-fig-psr-9-discussion/3B81C22F-19A0-4BFE-B958-4316C50C37D7%40pooteeweet.org.

[Larry Garfield]

Right, so the plan is:

- Lukas splits off the spec parts of PSR-9 to a new spec and metadoc.
- I then open an Entrance vote for what would become PSR-10, with Lukas
as editor, myself as Coordinator, and Korvin as Sponsor.

Lukas, do we have those files yet I can reference?

--Larry Garfield

On 3/17/15 5:13 PM, Korvin Szanto wrote:
> I didn't see this email until today!
> I'm spending some time getting caught up with the current state of
> PSR-9, I'd like to be more involved in the discussion moving forward and
> would love to sponsor 9b.
>
>
>
> On Mon, Mar 16, 2015 at 10:33 AM Lukas Kahwe Smith <sm...@pooteeweet.org
> <mailto:sm...@pooteeweet.org>> wrote:
>
>
> > On 16 Mar 2015, at 17:32, Larry Garfield <la...@garfieldtech.com

> <mailto:la...@garfieldtech.com>> wrote:
> >
> >> On 3/15/15 10:15 AM, Lukas Kahwe Smith wrote:
> >>
> >>> On 15 Mar 2015, at 15:46, enygma <eny...@phpdeveloper.org

> php-fig-psr-9-discu...@googlegroups.com
> <mailto:php-fig-psr-9-discussion%2Bunsu...@googlegroups.com>.

> To post to this group, send email to

> php-fig-psr-9-discussion@__googlegroups.com
> <mailto:php-fig-psr-...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/__msgid/php-fig-psr-9-__discussion/3B81C22F-19A0-4BFE-__B958-4316C50C37D7%__40pooteeweet.org
> <https://groups.google.com/d/msgid/php-fig-psr-9-discussion/3B81C22F-19A0-4BFE-B958-4316C50C37D7%40pooteeweet.org>.
> For more options, visit https://groups.google.com/d/__optout
> <https://groups.google.com/d/optout>.
>

[Lukas Kahwe Smith]

> On 25 Mar 2015, at 23:57, Larry Garfield <la...@garfieldtech.com> wrote:
>
> Right, so the plan is:
>
> - Lukas splits off the spec parts of PSR-9 to a new spec and metadoc.

already done weeks ago https://github.com/php-fig/fig-standards/pull/393

> - I then open an Entrance vote for what would become PSR-10, with Lukas as editor, myself as Coordinator, and Korvin as Sponsor.

+1

[Larry Garfield]

After some IRC discussion to clarify what goes where, I've put out the
request to fork:

https://groups.google.com/d/msgid/php-fig/55143B92.5070908%40garfieldtech.com

--Larry Garfield