QtCS2018 Third-Party Sources Policy and Security
Host: Thiago Macieira
Notes: Kai Koehne
Motivation: Intel Clear Linux has the policy to fix any CVE within 24 hours
- Hard to do for third-party code that's entangled in Qt
Notorious offenders: Image plugins (eg. libtiff)
- We should aim for using system libraries for all image formats
- Work started already for macOS
- Can we do this for Windows? (AP)
Can we just rely a lot more on system libraries?
- Linux should be fine
- Can we use Vcpkg as a common package management system?
- To be investigated (QTBUG-68816)
- Alternative: Build ourself, but as separate library, so that we can update it separately
Some are deeply entangled
- FreeBSD strtoll and strtoull
- We become responsible and need to issue a separate CVE
Discussion for Rules
- If system library is found, use system library
- If not, use bundled copy
- Maybe provide a configure option for that? -no-bundled-libraries, making all bundled libraries opt-in (see QTBUG-68815)
We should aim for always shipping latest version available
- At FF time latest (minor) update
- Continue follow minor upstream version
Security issues should block release
- Existing releases: Release a patch
- Issue: Chromium releases dozens of security related patches per month!
- How to decide what is really critical? Sometimes non-critical issues escalate over time ...
First step is to actually document what we ship
- We got better there, but still miss integration with configure to actually show what is included
- Let's not forget the majority of our customers, who won't update Qt weekly, let alone monthly!
How often should we do patch set releases?
- Current goal: Patch releases 3-4 weeks
- We cannot do new stable patch releases for every single upstream version
- -> It should be enough to provide patches for security fixes
Assign maintainers for Third Party Components
- Some modules are unmaintained
- Should we have dedicated maintainers for all third party modules?
- Hard to get already maintainers for existing modules
- This is for much more limited scope though
- Monitoring system for upstream CVE's?
- Yocto has a system
- Should it need security updates too?
- Some customers might require that...
- Clashes with some downstream security policies