[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Fri Oct 19 16:59:10 CEST 2012


I proposed it, therefore if nobody disagrees, I get consensus and the
decision goes into effect. I'll quote myself in an earlier post to
actually give this thread some substance:

On Thu, Oct 18, 2012 at 3:40 PM, d3fault <d3faultdotxbe at gmail.com> wrote:
> tl;dr:
> Open Project
> Closed Security
>
> The officially endorsed method for reporting security issues for Qt is
> to send them to security at qt-project.org , which is a private mailing
> list. I have a problem with that.
>
> "Experience has shown that 'security through obscurity' does not work.
> Public disclosure allows for more rapid and better solutions to
> security problems" ( http://www.debian.org/security/ ).
>
> "Security information moves very fast in cracker circles. On the other
> hand, our experience is that coding and releasing of proper security
> fixes typically requires about an hour of work -- very fast fix
> turnaround is possible. Thus we think that full disclosure helps the
> people who really care about security" (
> http://openbsd.org/security.html ).
>
> If the Qt Project does not intend on taking security issues seriously,
> then we should remove security related classes from the project
> (QSslSocket namely). Leaving them in is misleading.
>
> d3fault

d3fault



More information about the Development mailing list