[Development] RFC: Qt Security Policy

d3fault d3faultdotxbe at gmail.com
Fri Oct 19 00:40:00 CEST 2012


tl;dr:
Open Project
Closed Security

The officially endorsed method for reporting security issues for Qt is
to send them to security at qt-project.org , which is a private mailing
list. I have a problem with that.

"Experience has shown that 'security through obscurity' does not work.
Public disclosure allows for more rapid and better solutions to
security problems" ( http://www.debian.org/security/ ).

"Security information moves very fast in cracker circles. On the other
hand, our experience is that coding and releasing of proper security
fixes typically requires about an hour of work -- very fast fix
turnaround is possible. Thus we think that full disclosure helps the
people who really care about security" (
http://openbsd.org/security.html ).

If the Qt Project does not intend on taking security issues seriously,
then we should remove security related classes from the project
(QSslSocket namely). Leaving them in is misleading.

d3fault



More information about the Development mailing list