Cyber-Security and implications on the Qt Project
Jump to navigation
Jump to search
Session Summary
Session Owners
Discussion
- Why is SBOM not the default, rather than an opt-in
- Is there a plan to improve /automate 3rd party source updates
- Whether the same SBOM infrastructure can be used for KDE
- Was there any reaching out to other communities to agree on an informal standard
Security header for code files
- QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276
Qt and Gerrit Account management
- Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
- but as long as reactivating is a self-service, it shouldn't be an issue
- Also, require 2FA for approvers
- Self-approval only when there is at east one +1 from another person?
- security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors