[Development] RFC: Qt Security Policy

Hausmann Simon Simon.Hausmann at digia.com
Wed Oct 10 17:34:20 CEST 2012

I suggest git-send-email to the security list.

I've used email (git-send-email) based patch review in low traffic projects and found it to work really really well.


Sendt fra min Nokia N909.10.12 18:59 skrev Richard Moore:
On 9 October 2012 09:21, Marc Mutz <marc.mutz at kdab.com> wrote:
> Hi Rich,
> Thanks for taking the time to write this up. I have but one question:
> On Monday October 8 2012, Richard Moore wrote:
>>  * Where possible packagers should be informed directly of which SHA1s they
>>    should cherry pick in order to get a security fix.
> What process do you recommend to prevent the Gerrit review of the patch (a
> necessary precondition for obtaining a final SHA1 of the commit) from
> (prematurely) disclosing the vulnerability?

That's a real problem I agree. There's some discussion on the topic here:

One option I suspect is for us to prepare the fix and review it
outside of gerrit, so that we have it ready to go rapidly once we
disclose. This would allow distros etc. to performing testing via the
private notification list before it enters the main gerrit.


Development mailing list
Development at qt-project.org

More information about the Development mailing list