[Development] Newlines in XHR / QNetworkAccessManager headers

d3fault d3faultdotxbe at gmail.com
Mon Oct 8 07:48:08 CEST 2012


On Sun, Oct 7, 2012 at 10:00 PM, Thiago Macieira
<thiago.macieira at intel.com> wrote:
> For obvious reasons, the security list is not public and is not open for
> subscription from other people. If you feel you have a reason to be in the
> security mailing list, please mail us there and ask to be subscribed. We're
> looking for people who with the following skills:
>

What are those obvious reasons that trump transparency? Full
disclosure security is the best form of security.

You're talking about an official/internal 'team', whereas I'm talking
about a mailing list. The 'team' would be the only ones with write
access to Security-announce... but everyone should be encouraged to
contribute to Security-discussion. Everything should be done
transparently... else what is Open Governance but a marketing
buzz-word?

Note: discussions between the security team members should take place
entirely on Security-discussion (allowing anybody to join in)... up
until they confirm the vuln and post it on Security-announce.

>
> 1) can provide advice in security-related matters, such as fixes to issues
> 2) can get around Qt's source code (knows where to find things)
> 3) can write code and unit tests, submit to the Qt repository
>

Can you add me then? I mostly just want to read it, but I might be
able to help somewhere.

^^See the problem here? Privileged information. Who knows what major
security holes are sitting in security at qt-project.org while the rest
of us sit around with our finger's crossed.

>
> As for the CRIME vulnerability, we had it fixed before the details were made
> public (by way of guessing what the issue was). The problem happened after the
> fix, in getting it published.

Yea some vague IRC discussions were happening between a few
developers, but it took a week+ before an announcement and patch
release was made. A post to Security-announce should have been made
immediately after it was confirmed (some would argue that the
announcement should wait until there's a fix, but I don't).

d3fault



More information about the Development mailing list