Hi Kevin,
I shouldn't be surprised your solution is similar to the one I use
here. We review all 3rd party code from scratch without exception. On
the accountability side, I've been ignored, mocked, received reports
on my lack of knowledge and understanding, or been given
acknowledgments while Github repos remain dead to any fixes for
months. There's even cases where reports at alpha/beta still remain
open after high profile final releases... As usual, naming names would
be a great for shaming them into compliance but it's often
irresponsible even if a cursory Github search would show issues. It
took months just to name HTML Sanitisers responsibly. Always a
tiresome wait...
That said, establishing a standard and having it adopted by a
community group is better than nothing at all. Like it or not, we're
self regulating with serious discipline issues ;). That won't change
any time soon. At least the tools for distributing vulnerability data
will exist for those who want to go the extra mile and earn some
goodwill. As Chris mentioned, one barrier is how to integrate 3rd
party disclosures into a voluntary system - there's no easy solution
there though I hope there's some method that could be implemented to
serve the target of all this - the folk checking if their dependency
versions are vulnerable to something. One step at a time, I suppose!
For now, the idea with PHP-FIG was come up with something its members
would feel fine with adopting. It's a really small club but it
encompasses the likes of Symfony, Zend, Drupal and others (yes, even
Composer) that can establish a standard and put in developers' hands.
Paddy
--
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative