[Development] RFC: Qt Security Policy

Ziller Eike Eike.Ziller at digia.com
Wed Oct 10 11:34:33 CEST 2012


On 10 Oct 2012, at 11:18, d3fault <d3faultdotxbe at gmail.com> wrote:

> Oh right this is where I'm supposed to disagree or object or
> something... See:
> http://lists.qt-project.org/pipermail/development/2012-October/006892.html
> 
> tl;dr: I object on the grounds that behind closed doors security is
> not only a waste of time, it also hurts Qt _users_.



> Do This:
> -CVE/CERT aka private/exclusive notifications go to some email address
> that only core security team has access to:
> security-private at qt-project.org or something

in the proposal that is security at qt-project.org

> -security at qt-project.org becomes 'Security' mailing list, public
> Read/Write. Only people interested in security read from or post to
> this list. Questions, suggestions, etc

in the proposal that is development@ and/or interest@

> -security-announce at qt-project.org/Security-announce mailing list
> announces immediately on (a) vuln existence confirmation, (b) vuln fix
> (a and b can be grouped together, but a should not wait for b).
> Distributors and Qt _users_ alike subscribe to this list, but with
> Read-Only access. Core security team has write access

in the proposal that is announce@

-- 
Eike Ziller, Senior Software Engineer - Digia, Qt
 
Digia Germany GmbH, Rudower Chaussee 13, D-12489 Berlin
Geschäftsführer: Mika Pälsi, Juha Varelius, Anja Wasenius
Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B




More information about the Development mailing list