Cyber-Security and implications on the Qt Project: Difference between revisions

Latest revision as of 07:45, 20 September 2024

Why is SBOM not the default, rather than an opt-in
Is there a plan to improve /automate 3rd party source updates
Whether the same SBOM infrastructure can be used for KDE
Was there any reaching out to other communities to agree on an informal standard

Security header for code files

Qt and Gerrit Account management

Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
- but as long as reactivating is a self-service, it shouldn't be an issue
Also, require 2FA for approvers
Self-approval only when there is at east one +1 from another person?
- security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors

@@ Line 1: / Line 1: @@
 ==Session Summary==
+[[File:QtContributorSummit 2024 SBOM.pdf|thumb]]
 ==Session Owners==
@@ Line 11: / Line 12: @@
 * Whether the same SBOM infrastructure can be used for KDE
 * Was there any reaching out to other communities to agree on an informal standard
+[[File:QtCS 2024 - Cyber Security - Accounts.pdf|thumb]]
+Security header for code files
+* QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276
+Qt and Gerrit Account management
+* Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
+** but as long as reactivating is a self-service, it shouldn't be an issue
+* Also, require 2FA for approvers
+* Self-approval only when there is at east one +1 from another person?
+** security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors
 [[Category:QtCS2024]]