[Development] Newlines in XHR / QNetworkAccessManager headers

Thiago Macieira thiago.macieira at intel.com
Mon Oct 8 09:39:48 CEST 2012 

On domingo, 7 de outubro de 2012 22.48.08, d3fault wrote:
> On Sun, Oct 7, 2012 at 10:00 PM, Thiago Macieira
> 
> <thiago.macieira at intel.com> wrote:
> > For obvious reasons, the security list is not public and is not open for
> > subscription from other people. If you feel you have a reason to be in the
> > security mailing list, please mail us there and ask to be subscribed.
> > We're
> 
> > looking for people who with the following skills:
> What are those obvious reasons that trump transparency? Full
> disclosure security is the best form of security.

Full disclosure *after* we've analysed the bug and delivered a fix, if 
necessary. Disclosing the details about an exploit before it's fixed is bad 
practice. That includes similar fixes delivered by others in other products, 
not just Qt.

> You're talking about an official/internal 'team', whereas I'm talking
> about a mailing list. The 'team' would be the only ones with write
> access to Security-announce... but everyone should be encouraged to
> contribute to Security-discussion. Everything should be done
> transparently... else what is Open Governance but a marketing
> buzz-word?

This is under Open Governance. You are invited to participate, if you have the 
skills. Just like the rest of the project rules.

But the mailing list needs to be closed.

> > 1) can provide advice in security-related matters, such as fixes to issues
> > 2) can get around Qt's source code (knows where to find things)
> > 3) can write code and unit tests, submit to the Qt repository
> 
> Can you add me then? I mostly just want to read it, but I might be
> able to help somewhere.

Given your past contributions, no, I won't sponsor you into the list. You're 
now reaching right about neutral in my book, from negative. Keep up the good 
work and I'll begin respecting your opinions soon. From there, it should take 
a few more months until I'm convinced you're "security list material". For 
example, I need to be convinced that you're going to follow the rules.

Others may have different opinions and may decide you should be added to the 
list.

> ^^See the problem here? Privileged information. Who knows what major
> security holes are sitting in security at qt-project.org while the rest
> of us sit around with our finger's crossed.

You trust the people who are there, you trust their credentials. We've got 
someone who does security analyses for a living.

> > As for the CRIME vulnerability, we had it fixed before the details were
> > made public (by way of guessing what the issue was). The problem happened
> > after the fix, in getting it published.
> 
> Yea some vague IRC discussions were happening between a few
> developers, but it took a week+ before an announcement and patch
> release was made. A post to Security-announce should have been made
> immediately after it was confirmed (some would argue that the
> announcement should wait until there's a fix, but I don't).

We recognise we dropped the ball. So we're working to improve.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121008/37bed93c/attachment.sig>

More information about the Development mailing list