[Development] Newlines in XHR / QNetworkAccessManager headers
d3faultdotxbe at gmail.com
Mon Oct 8 07:48:08 CEST 2012
On Sun, Oct 7, 2012 at 10:00 PM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
> For obvious reasons, the security list is not public and is not open for
> subscription from other people. If you feel you have a reason to be in the
> security mailing list, please mail us there and ask to be subscribed. We're
> looking for people who with the following skills:
What are those obvious reasons that trump transparency? Full
disclosure security is the best form of security.
You're talking about an official/internal 'team', whereas I'm talking
about a mailing list. The 'team' would be the only ones with write
access to Security-announce... but everyone should be encouraged to
contribute to Security-discussion. Everything should be done
transparently... else what is Open Governance but a marketing
Note: discussions between the security team members should take place
entirely on Security-discussion (allowing anybody to join in)... up
until they confirm the vuln and post it on Security-announce.
> 1) can provide advice in security-related matters, such as fixes to issues
> 2) can get around Qt's source code (knows where to find things)
> 3) can write code and unit tests, submit to the Qt repository
Can you add me then? I mostly just want to read it, but I might be
able to help somewhere.
^^See the problem here? Privileged information. Who knows what major
security holes are sitting in security at qt-project.org while the rest
of us sit around with our finger's crossed.
> As for the CRIME vulnerability, we had it fixed before the details were made
> public (by way of guessing what the issue was). The problem happened after the
> fix, in getting it published.
Yea some vague IRC discussions were happening between a few
developers, but it took a week+ before an announcement and patch
release was made. A post to Security-announce should have been made
immediately after it was confirmed (some would argue that the
announcement should wait until there's a fix, but I don't).
More information about the Development