[Development] RFC: Qt Security Policy

Richard Moore rich at kde.org
Wed Oct 10 17:06:43 CEST 2012

On 10 October 2012 14:02, Konstantin Tokarev <annulen at yandex.ru> wrote:
> 09.10.2012, 20:59, "Richard Moore" <rich at kde.org>:
>> On 9 October 2012 09:21, Marc Mutz <marc.mutz at kdab.com> wrote:
>>>  Hi Rich,
>>>  Thanks for taking the time to write this up. I have but one question:
>>>  On Monday October 8 2012, Richard Moore wrote:
>>>>   * Where possible packagers should be informed directly of which SHA1s they
>>>>     should cherry pick in order to get a security fix.
>>>  What process do you recommend to prevent the Gerrit review of the patch (a
>>>  necessary precondition for obtaining a final SHA1 of the commit) from
>>>  (prematurely) disclosing the vulnerability?
>> That's a real problem I agree. There's some discussion on the topic here:
>> https://bugs.launchpad.net/openstack-ci/+bug/902052
> Launchpad is certainly wrong place to discuss this topic. It should be
> submitted as feature request to Gerrit.

It was discussed with the Gerrit people, there's a response from them
in the comments where they discuss how they handle the same issue for
security holes in gerrit itself. Short version is that they have a
second private gerrit instance for this.



More information about the Development mailing list