Cyber-Security and implications on the Qt Project: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(Add some notes (from memory) regarding the second part of this session) |
||
Line 12: | Line 12: | ||
* Whether the same SBOM infrastructure can be used for KDE | * Whether the same SBOM infrastructure can be used for KDE | ||
* Was there any reaching out to other communities to agree on an informal standard | * Was there any reaching out to other communities to agree on an informal standard | ||
[[File:QtCS 2024 - Cyber Security - Accounts.pdf|thumb]] | |||
Security header for code files | |||
* QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276 | |||
Qt and Gerrit Account management | |||
* Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short | |||
** but as long as reactivating is a self-service, it shouldn't be an issue | |||
* Also, require 2FA for approvers | |||
* Self-approval only when there is at east one +1 from another person? | |||
** security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors | |||
[[Category:QtCS2024]] | [[Category:QtCS2024]] |
Latest revision as of 07:45, 20 September 2024
Session Summary
Session Owners
Discussion
- Why is SBOM not the default, rather than an opt-in
- Is there a plan to improve /automate 3rd party source updates
- Whether the same SBOM infrastructure can be used for KDE
- Was there any reaching out to other communities to agree on an informal standard
Security header for code files
- QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276
Qt and Gerrit Account management
- Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
- but as long as reactivating is a self-service, it shouldn't be an issue
- Also, require 2FA for approvers
- Self-approval only when there is at east one +1 from another person?
- security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors