[Development] Newlines in XHR / QNetworkAccessManager headers

[Thiago Macieira]

On domingo, 7 de outubro de 2012 21.48.22, d3fault wrote:
> > If you find that it's a security issue, contact us at
> > security at qt-project.org so we can deal with it.
> 
> Can we get a Security mailing list that uses the email address
> provided above so as to keep the process more transparent? Qt's
> response time to the CRIME vulnerability is/was pathetic (I am
> partially to blame for that -- didn't report it thinking it would be
> fixed upstream in SSL itself).
> 
> Or perhaps two security related lists: Security-discussion (for a
> thread like this) and Security-announce (for confirmed vulns, perhaps
> read-only to the public)?

For obvious reasons, the security list is not public and is not open for 
subscription from other people. If you feel you have a reason to be in the 
security mailing list, please mail us there and ask to be subscribed. We're 
looking for people who with the following skills:

1) can provide advice in security-related matters, such as fixes to issues
2) can get around Qt's source code (knows where to find things)
3) can write code and unit tests, submit to the Qt repository

Even then, we want to keep the team small. The objective of the security 
mailing list is to assess issues being reported and determine whether or not 
an urgent fix is required.

As for the CRIME vulnerability, we had it fixed before the details were made 
public (by way of guessing what the issue was). The problem happened after the 
fix, in getting it published.
-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121007/d4222206/attachment.sig>