[Development] proposal: security mailing list

Richard Moore rich at kde.org
Tue Nov 15 14:33:44 CET 2011


On Tue, Nov 15, 2011 at 11:30 AM, Peter Hartmann
<peter.hartmann at nokia.com> wrote:
> I would like to propose the introduction of a low-traffic security
> mailing list for posting security patches for Qt.
> Right now we always need to write a blog post entry with an attached
> diff (see for instance [1]), but since e.g. SSL certificates get
> compromised a lot these days, this does not scale that well. So maybe an
> own mailing list with important security-related updates would be
> helpful for Linux package maintainers and others.

I think this makes complete sense.

>
> There was the suggestion that this list should be private; personally I
> rather favor a public list, because usually when creating patches for Qt
> similar patches have landed in other public repositories already (e.g.
> Chromium or Mozilla). The reason for that is that most of the security
> patches were made regarding blacklisting fraudulent certificates rather
> than fixing memory corruption bugs which should be kept secret.

I think a public list should be fine for the announcements. It doesn't
stop there being a private list too if needed for privately discussing
issues before they are addressed.

Rich.



More information about the Development mailing list