[Development] RFC: Qt Security Policy

Ziller Eike Eike.Ziller at digia.com
Wed Oct 10 14:29:45 CEST 2012

On 10 Oct 2012, at 13:25, d3fault <d3faultdotxbe at gmail.com> wrote:

> On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike <Eike.Ziller at digia.com> wrote:
>>> -CVE/CERT aka private/exclusive notifications go to some email address
>>> that only core security team has access to:
>>> security-private at qt-project.org or something
>> in the proposal that is security at qt-project.org
> Yes, but it is a private email address that only the core security
> team has read access to. I am proposing we change that, and the
> creation of the security-private at qt-project.org is to accommodate for
> CVE/Cert requiring non-disclosure. I guess other people could send to
> it too but I don't really care what goes on in there to be honest.
>>> -security at qt-project.org becomes 'Security' mailing list, public
>>> Read/Write. Only people interested in security read from or post to
>>> this list. Questions, suggestions, etc
>> in the proposal that is development@ and/or interest@
> Exactly, it isn't there. Security issues should be handled, or at the
> very least categorized, differently from regular development/interest
> discussion.
>>> -security-announce at qt-project.org/Security-announce mailing list
>>> announces immediately on (a) vuln existence confirmation, (b) vuln fix
>>> (a and b can be grouped together, but a should not wait for b).
>>> Distributors and Qt _users_ alike subscribe to this list, but with
>>> Read-Only access. Core security team has write access
>> in the proposal that is announce@
> Eh not really nothing was mentioned about dispatching an email
> immediately after a vuln is confirmed.

* Security issues will be disclosed by an email to the annouce at
  mailing list.
* The security annoucement should describe:
  * The security issue.
  * How and when it will be addressed.
  * Sufficient technical detail to allow users of Qt to determine the impact
    on their applications.
  * How to fix or work-around the issue in existing installations and

So the original proposal is to announce security issues after they have been "triaged" by the security team that receives the mail on the private security mailing list.

> And if you want to flood the
> main Announce with boring (to most) security posts then go for it...
> but I wouldn't.

Information about security issues in Qt is certainly not boring ;) and everyone should be informed.

> Also what's with your post you basically just re-stated everything in
> the original proposal with nothing new added. Are you trolling me or
> …?

I was trying to say that I think the only difference of your proposal to the original proposal is the exact naming of mailing lists. Sorry that I didn't state that explicitly, I thought it was deducible from context.

Eike Ziller, Senior Software Engineer - Digia, Qt
Digia Germany GmbH, Rudower Chaussee 13, D-12489 Berlin
Geschäftsführer: Mika Pälsi, Juha Varelius, Anja Wasenius
Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B

More information about the Development mailing list