[Development] RFC: Qt Security Policy

Ziller Eike Eike.Ziller at digia.com
Wed Oct 10 14:29:45 CEST 2012 

On 10 Oct 2012, at 13:25, d3fault <d3faultdotxbe at gmail.com> wrote:

> On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike <Eike.Ziller at digia.com> wrote:
>>> -CVE/CERT aka private/exclusive notifications go to some email address
>>> that only core security team has access to:
>>> security-private at qt-project.org or something
>> 
>> in the proposal that is security at qt-project.org
>> 
> 
> Yes, but it is a private email address that only the core security
> team has read access to. I am proposing we change that, and the
> creation of the security-private at qt-project.org is to accommodate for
> CVE/Cert requiring non-disclosure. I guess other people could send to
> it too but I don't really care what goes on in there to be honest.
> 
>>> -security at qt-project.org becomes 'Security' mailing list, public
>>> Read/Write. Only people interested in security read from or post to
>>> this list. Questions, suggestions, etc
>> 
>> in the proposal that is development@ and/or interest@
>> 
> 
> Exactly, it isn't there. Security issues should be handled, or at the
> very least categorized, differently from regular development/interest
> discussion.
>>> -security-announce at qt-project.org/Security-announce mailing list
>>> announces immediately on (a) vuln existence confirmation, (b) vuln fix
>>> (a and b can be grouped together, but a should not wait for b).
>>> Distributors and Qt _users_ alike subscribe to this list, but with
>>> Read-Only access. Core security team has write access
>> 
>> in the proposal that is announce@
>> 
> 
> Eh not really nothing was mentioned about dispatching an email
> immediately after a vuln is confirmed.

"
* Security issues will be disclosed by an email to the annouce at
qt-project.org
  mailing list.
[…]
* The security annoucement should describe:
  * The security issue.
  * How and when it will be addressed.
  * Sufficient technical detail to allow users of Qt to determine the impact
    on their applications.
  * How to fix or work-around the issue in existing installations and
    applications.
"

So the original proposal is to announce security issues after they have been "triaged" by the security team that receives the mail on the private security mailing list.

> And if you want to flood the
> main Announce with boring (to most) security posts then go for it...
> but I wouldn't.

Information about security issues in Qt is certainly not boring ;) and everyone should be informed.

> Also what's with your post you basically just re-stated everything in
> the original proposal with nothing new added. Are you trolling me or
> …?

I was trying to say that I think the only difference of your proposal to the original proposal is the exact naming of mailing lists. Sorry that I didn't state that explicitly, I thought it was deducible from context.

-- 
Eike Ziller, Senior Software Engineer - Digia, Qt
 
Digia Germany GmbH, Rudower Chaussee 13, D-12489 Berlin
Geschäftsführer: Mika Pälsi, Juha Varelius, Anja Wasenius
Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B

More information about the Development mailing list