Qt Contributor Summit 2019 - Security Policy

From Qt Wiki
Revision as of 10:20, 21 November 2019 by Thiago Macieira (talk | contribs) (Created page with "See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819 * Make the security core team a very small ** Must be approver * Subscribed people to the secu...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819

  • Make the security core team a very small
    • Must be approver
  • Subscribed people to the security list is larger
  • Our security processes already include:
    • "Four eyes" review process (no one can introduce their own changes)
    • Static analyses (Giuseppe uploads every Sunday)
    • Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
    • Update third-party components every release
  • Third-party component updating:
    • For Qt5, remain as is, with manual processes
    • For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too
    • We may need to patch when there are fixes from third-parties that are not in any release yet
  • Proposal: third-party support bundle
    • For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs
    • Updates whenever there are new releases for those third-parties and when there are fixes necessary
    • Shared among all Qt versions
    • Release announcements include the vulnerabilities fixed