[Development] RFC: Qt Security Policy

d3fault d3faultdotxbe at gmail.com
Wed Oct 10 13:25:52 CEST 2012

On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike <Eike.Ziller at digia.com> wrote:
>> -CVE/CERT aka private/exclusive notifications go to some email address
>> that only core security team has access to:
>> security-private at qt-project.org or something
> in the proposal that is security at qt-project.org

Yes, but it is a private email address that only the core security
team has read access to. I am proposing we change that, and the
creation of the security-private at qt-project.org is to accommodate for
CVE/Cert requiring non-disclosure. I guess other people could send to
it too but I don't really care what goes on in there to be honest.

>> -security at qt-project.org becomes 'Security' mailing list, public
>> Read/Write. Only people interested in security read from or post to
>> this list. Questions, suggestions, etc
> in the proposal that is development@ and/or interest@

Exactly, it isn't there. Security issues should be handled, or at the
very least categorized, differently from regular development/interest

>> -security-announce at qt-project.org/Security-announce mailing list
>> announces immediately on (a) vuln existence confirmation, (b) vuln fix
>> (a and b can be grouped together, but a should not wait for b).
>> Distributors and Qt _users_ alike subscribe to this list, but with
>> Read-Only access. Core security team has write access
> in the proposal that is announce@

Eh not really nothing was mentioned about dispatching an email
immediately after a vuln is confirmed. And if you want to flood the
main Announce with boring (to most) security posts then go for it...
but I wouldn't.

Also what's with your post you basically just re-stated everything in
the original proposal with nothing new added. Are you trolling me or


More information about the Development mailing list