[Development] RFC: Qt Security Policy

slfj sfjie provingapoint12345 at gmail.com
Fri Oct 19 03:50:20 CEST 2012

> tl;dr:
> Open Project
> Closed Security
> The officially endorsed method for reporting security issues for Qt is
> to send them to security at qt-project.org , which is a private mailing
> list. I have a problem with that.
> "Experience has shown that 'security through obscurity' does not work.
> Public disclosure allows for more rapid and better solutions to
> security problems" ( http://www.debian.org/security/ ).
> "Security information moves very fast in cracker circles. On the other
> hand, our experience is that coding and releasing of proper security
> fixes typically requires about an hour of work -- very fast fix
> turnaround is possible. Thus we think that full disclosure helps the
> people who really care about security" (
> http://openbsd.org/security.html ).
> If the Qt Project does not intend on taking security issues seriously,
> then we should remove security related classes from the project
> (QSslSocket namely). Leaving them in is misleading.
> d3fault

This is a sound argument, especially since he is citing well respected (in
the security scene) projects.

...etc etc until "consensus" is swayed...

Also, the guy didn't even disagree with me. He pretty much reiterated the
first post and said absolutely nothing. You disagreed with me for a little
bit (CVE/Mitre), but getting around those problems is trivial by setting up
a security-private at qt-project.org address for your elitist club.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121018/8cae373f/attachment.html>

More information about the Development mailing list