QtCS2018 Third-Party Sources Policy and Security: Difference between revisions
Jump to navigation
Jump to search
(hmm ... no, achieve consistency the opposite way ...) |
(stray duplicate word) |
||
Line 2: | Line 2: | ||
Host: Thiago Macieira<br /> | Host: Thiago Macieira<br /> | ||
Notes: Kai Koehne | Notes: Kai Koehne | ||
Motivation: Intel Clear Linux has the policy to fix any CVE within 24 hours | Motivation: Intel Clear Linux has the policy to fix any CVE within 24 hours | ||
Line 59: | Line 58: | ||
* Should it need security updates too? | * Should it need security updates too? | ||
* Some customers might require that... | * Some customers might require that... | ||
* Clashes with some | * Clashes with some downstream security policies |
Latest revision as of 09:16, 5 July 2018
Host: Thiago Macieira
Notes: Kai Koehne
Motivation: Intel Clear Linux has the policy to fix any CVE within 24 hours
- Hard to do for third-party code that's entangled in Qt
Notorious offenders: Image plugins (eg. libtiff)
- We should aim for using system libraries for all image formats
- Work started already for macOS
- Can we do this for Windows? (AP)
Can we just rely a lot more on system libraries?
- Linux should be fine
- Can we use Vcpkg as a common package management system?
- To be investigated (QTBUG-68816)
- Alternative: Build ourself, but as separate library, so that we can update it separately
Some are deeply entangled
- FreeBSD strtoll and strtoull
- We become responsible and need to issue a separate CVE
Discussion for Rules
- If system library is found, use system library
- Agreed
- If not, use bundled copy
- Maybe provide a configure option for that? -no-bundled-libraries, making all bundled libraries opt-in (see QTBUG-68815)
We should aim for always shipping latest version available
- At FF time latest (minor) update
- Continue follow minor upstream version
Security issues should block release
- Existing releases: Release a patch
- Issue: Chromium releases dozens of security related patches per month!
- How to decide what is really critical? Sometimes non-critical issues escalate over time ...
First step is to actually document what we ship
- We got better there, but still miss integration with configure to actually show what is included
- Let's not forget the majority of our customers, who won't update Qt weekly, let alone monthly!
How often should we do patch set releases?
- Current goal: Patch releases 3-4 weeks
- We cannot do new stable patch releases for every single upstream version
- -> It should be enough to provide patches for security fixes
Assign maintainers for Third Party Components
- Some modules are unmaintained
- Should we have dedicated maintainers for all third party modules?
- Hard to get already maintainers for existing modules
- This is for much more limited scope though
- Monitoring system for upstream CVE's?
- Yocto has a system
Qt Creator
- Should it need security updates too?
- Some customers might require that...
- Clashes with some downstream security policies