[Development] RFC: Qt Security Policy
Richard Moore
rich at kde.org
Wed Oct 10 17:06:43 CEST 2012
On 10 October 2012 14:02, Konstantin Tokarev <annulen at yandex.ru> wrote:
>
>
> 09.10.2012, 20:59, "Richard Moore" <rich at kde.org>:
>> On 9 October 2012 09:21, Marc Mutz <marc.mutz at kdab.com> wrote:
>>
>>> Hi Rich,
>>>
>>> Thanks for taking the time to write this up. I have but one question:
>>>
>>> On Monday October 8 2012, Richard Moore wrote:
>>>> * Where possible packagers should be informed directly of which SHA1s they
>>>> should cherry pick in order to get a security fix.
>>> What process do you recommend to prevent the Gerrit review of the patch (a
>>> necessary precondition for obtaining a final SHA1 of the commit) from
>>> (prematurely) disclosing the vulnerability?
>>
>> That's a real problem I agree. There's some discussion on the topic here:
>> https://bugs.launchpad.net/openstack-ci/+bug/902052
>
> Launchpad is certainly wrong place to discuss this topic. It should be
> submitted as feature request to Gerrit.
It was discussed with the Gerrit people, there's a response from them
in the comments where they discuss how they handle the same issue for
security holes in gerrit itself. Short version is that they have a
second private gerrit instance for this.
Cheers
Rich.
More information about the Development
mailing list