Cyber-Security and implications on the Qt Project

From Qt Wiki

Jump to navigation Jump to search

Session Summary

QtContributorSummit 2024 SBOM.pdf

Session Owners

Discussion

Why is SBOM not the default, rather than an opt-in
Is there a plan to improve /automate 3rd party source updates
Whether the same SBOM infrastructure can be used for KDE
Was there any reaching out to other communities to agree on an informal standard

QtCS 2024 - Cyber Security - Accounts.pdf

Security header for code files

QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276

Qt and Gerrit Account management

Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
- but as long as reactivating is a self-service, it shouldn't be an issue
Also, require 2FA for approvers
Self-approval only when there is at east one +1 from another person?
- security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors

Retrieved from "https://wiki.qt.io/index.php?title=Cyber-Security_and_implications_on_the_Qt_Project&oldid=42761"

QtCS2024