[Development] RFC: Qt Security Policy

Richard Moore rich at kde.org
Tue Oct 9 18:59:33 CEST 2012


On 9 October 2012 09:21, Marc Mutz <marc.mutz at kdab.com> wrote:
> Hi Rich,
>
> Thanks for taking the time to write this up. I have but one question:
>
> On Monday October 8 2012, Richard Moore wrote:
>>  * Where possible packagers should be informed directly of which SHA1s they
>>    should cherry pick in order to get a security fix.
>
> What process do you recommend to prevent the Gerrit review of the patch (a
> necessary precondition for obtaining a final SHA1 of the commit) from
> (prematurely) disclosing the vulnerability?

That's a real problem I agree. There's some discussion on the topic here:
https://bugs.launchpad.net/openstack-ci/+bug/902052

One option I suspect is for us to prepare the fix and review it
outside of gerrit, so that we have it ready to go rapidly once we
disclose. This would allow distros etc. to performing testing via the
private notification list before it enters the main gerrit.

Cheers

Rich.



More information about the Development mailing list