Cyber-Security and implications on the Qt Project

From Qt Wiki
Revision as of 07:45, 20 September 2024 by Volker Hilsheimer (talk | contribs) (Add some notes (from memory) regarding the second part of this session)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Session Summary

QtContributorSummit 2024 SBOM.pdf

Session Owners

Discussion

  • Why is SBOM not the default, rather than an opt-in
  • Is there a plan to improve /automate 3rd party source updates
  • Whether the same SBOM infrastructure can be used for KDE
  • Was there any reaching out to other communities to agree on an informal standard
QtCS 2024 - Cyber Security - Accounts.pdf


Security header for code files

Qt and Gerrit Account management

  • Time of inactivity before account gets deactivated/privileges removed: for people on parental leave, 6/12 months might be short
    • but as long as reactivating is a self-service, it shouldn't be an issue
  • Also, require 2FA for approvers
  • Self-approval only when there is at east one +1 from another person?
    • security theatre: anyone can create a second, fake Qt account to give a +1; so doesn't help against bad actors