QtCS2018 Third-Party Sources Policy and Security

From Qt Wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Host: Thiago Macieira
Notes: Kai Koehne

Motivation: Intel Clear Linux has the policy to fix any CVE within 24 hours

  • Hard to do for third-party code that's entangled in Qt

Notorious offenders: Image plugins (eg. libtiff)

  • We should aim for using system libraries for all image formats
  • Work started already for macOS
  • Can we do this for Windows? (AP)

Can we just rely a lot more on system libraries?

  • Linux should be fine
  • Can we use Vcpkg as a common package management system?
  • Alternative: Build ourself, but as separate library, so that we can update it separately

Some are deeply entangled

  • FreeBSD strtoll and strtoull
  • We become responsible and need to issue a separate CVE

Discussion for Rules

  • If system library is found, use system library
    • Agreed
  • If not, use bundled copy
    • Maybe provide a configure option for that? -no-bundled-libraries, making all bundled libraries opt-in (see QTBUG-68815)

We should aim for always shipping latest version available

  • At FF time latest (minor) update
  • Continue follow minor upstream version

Security issues should block release

  • Existing releases: Release a patch
    • Issue: Chromium releases dozens of security related patches per month!
    • How to decide what is really critical? Sometimes non-critical issues escalate over time ...

First step is to actually document what we ship

  • We got better there, but still miss integration with configure to actually show what is included
  • Let's not forget the majority of our customers, who won't update Qt weekly, let alone monthly!

How often should we do patch set releases?

  • Current goal: Patch releases 3-4 weeks
  • We cannot do new stable patch releases for every single upstream version
  • -> It should be enough to provide patches for security fixes

Assign maintainers for Third Party Components

  • Some modules are unmaintained
  • Should we have dedicated maintainers for all third party modules?
    • Hard to get already maintainers for existing modules
    • This is for much more limited scope though
  • Monitoring system for upstream CVE's?
    • Yocto has a system

Qt Creator

  • Should it need security updates too?
  • Some customers might require that...
  • Clashes with some downstream security policies
Retrieved from "https://wiki.qt.io/index.php?title=QtCS2018_Third-Party_Sources_Policy_and_Security&oldid=34194"