Cyber-Security and implications on the Qt Project: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
No edit summary
(Add some notes (from memory) regarding the second part of this session)
 
Line 12: Line 12:
* Whether the same SBOM infrastructure can be used for KDE
* Whether the same SBOM infrastructure can be used for KDE
* Was there any reaching out to other communities to agree on an informal standard
* Was there any reaching out to other communities to agree on an informal standard
[[File:QtCS 2024 - Cyber Security - Accounts.pdf|thumb]]


Security header for code files
* QUIP-23 under review at https://codereview.qt-project.org/c/meta/quips/+/575276
Qt and Gerrit Account management
* Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
** but as long as reactivating is a self-service, it shouldn't be an issue
* Also, require 2FA for approvers
* Self-approval only when there is at east one +1 from another person?
** security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors


[[Category:QtCS2024]]
[[Category:QtCS2024]]

Latest revision as of 07:45, 20 September 2024

Session Summary

QtContributorSummit 2024 SBOM.pdf

Session Owners

Discussion

  • Why is SBOM not the default, rather than an opt-in
  • Is there a plan to improve /automate 3rd party source updates
  • Whether the same SBOM infrastructure can be used for KDE
  • Was there any reaching out to other communities to agree on an informal standard
QtCS 2024 - Cyber Security - Accounts.pdf


Security header for code files

Qt and Gerrit Account management

  • Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
    • but as long as reactivating is a self-service, it shouldn't be an issue
  • Also, require 2FA for approvers
  • Self-approval only when there is at east one +1 from another person?
    • security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors