Qt Contributor Summit 2019 - Security Policy: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
No edit summary
(Add link to mentioned session)
 
(One intermediate revision by one other user not shown)
Line 7: Line 7:
** "Four eyes" review process (no one can introduce their own changes)
** "Four eyes" review process (no one can introduce their own changes)
** Static analyses (Giuseppe uploads every Sunday)
** Static analyses (Giuseppe uploads every Sunday)
** Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
** Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a [[Qt_Contributors_Summit_2019_-Fuzzing_Qt|session on this]] and will have more details)
** Update third-party components every release
** Update third-party components every release
* Third-party component updating:
* Third-party component updating:
Line 30: Line 30:
* Security issues are initially P0, but can be lowered after investigation
* Security issues are initially P0, but can be lowered after investigation
* When confirmed as a security issue, Core Security Team obtains CVE number
* When confirmed as a security issue, Core Security Team obtains CVE number
* Ensuring assignee for fix is working on it


Who is on this team? Volker will discuss with the Qt Company management and report.
Who is on this team? Volker will discuss with the Qt Company management and report.
* Ensuring assignee for fix is working on it

Latest revision as of 14:23, 2 December 2019

See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819

  • Make the security core team a very small
    • Must be Qt Project Approver
  • Subscribed people to the security list is larger
  • Our security processes already include:
    • "Four eyes" review process (no one can introduce their own changes)
    • Static analyses (Giuseppe uploads every Sunday)
    • Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
    • Update third-party components every release
  • Third-party component updating:
    • For Qt5, remain as is, with manual processes
    • For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too
    • We may need to patch when there are fixes from third-parties that are not in any release yet
  • Proposal: third-party support bundle
    • For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs
    • Updates whenever there are new releases for those third-parties and when there are fixes necessary
    • Shared among all Qt versions
    • Release announcements include the vulnerabilities fixed
    • Time frame: probably for 6.0
  • Proposal: core security team monitors third party CVE feeds
    • Update the bundled sources

The Core Security Team

The Core team is responsible for:

  • Moderating emails to security@qt-project.org
  • Triaging incoming reports, removing those that aren't security issues
  • Informing full security team (includes all maintainers)
  • Determining the responsible person for fixing the issue
  • Security issues are initially P0, but can be lowered after investigation
  • When confirmed as a security issue, Core Security Team obtains CVE number
  • Ensuring assignee for fix is working on it

Who is on this team? Volker will discuss with the Qt Company management and report.