[Development] proposal: security mailing list
lars.knoll at nokia.com
lars.knoll at nokia.com
Tue Nov 15 21:30:23 CET 2011
On 11/15/11 2:33 PM, "ext Richard Moore" <rich at kde.org> wrote:
>On Tue, Nov 15, 2011 at 11:30 AM, Peter Hartmann
><peter.hartmann at nokia.com> wrote:
>> I would like to propose the introduction of a low-traffic security
>> mailing list for posting security patches for Qt.
>> Right now we always need to write a blog post entry with an attached
>> diff (see for instance [1]), but since e.g. SSL certificates get
>> compromised a lot these days, this does not scale that well. So maybe an
>> own mailing list with important security-related updates would be
>> helpful for Linux package maintainers and others.
>
>I think this makes complete sense.
>
>>
>> There was the suggestion that this list should be private; personally I
>> rather favor a public list, because usually when creating patches for Qt
>> similar patches have landed in other public repositories already (e.g.
>> Chromium or Mozilla). The reason for that is that most of the security
>> patches were made regarding blacklisting fraudulent certificates rather
>> than fixing memory corruption bugs which should be kept secret.
>
>I think a public list should be fine for the announcements. It doesn't
>stop there being a private list too if needed for privately discussing
>issues before they are addressed.
The reason why many other projects have private lists for security issues
is to avoid making zero day exploits widely known. It would most likely be
good to also be able to discuss some of these issues in a more closed
mailing list, not to be less transparent, but to not tell hackers about
the issues before we have a fix.
A public announcement list might be needed as well, but for that we could
simply use announce at qt-project.org.
Cheers,
Lars
More information about the Development
mailing list