[Development] Proposal: Change Qt's Security Policy to Full Disclosure

Knoll Lars Lars.Knoll at digia.com
Sat Oct 20 00:37:23 CEST 2012

On Oct 19, 2012, at 4:59 PM, d3fault <d3faultdotxbe at gmail.com> wrote:

> I proposed it, therefore if nobody disagrees, I get consensus and the
> decision goes into effect. I'll quote myself in an earlier post to
> actually give this thread some substance:

This is just wrong, and I'm getting tired of your ramblings on this mailing list. Just because you send something to the ML and people get tired of answering you doesn't mean your proposal is accepted.

We have a fully worked out proposal by Rich on the table that many people agreed with, and we'll stick with it for now.


> On Thu, Oct 18, 2012 at 3:40 PM, d3fault <d3faultdotxbe at gmail.com> wrote:
>> tl;dr:
>> Open Project
>> Closed Security
>> The officially endorsed method for reporting security issues for Qt is
>> to send them to security at qt-project.org , which is a private mailing
>> list. I have a problem with that.
>> "Experience has shown that 'security through obscurity' does not work.
>> Public disclosure allows for more rapid and better solutions to
>> security problems" ( http://www.debian.org/security/ ).
>> "Security information moves very fast in cracker circles. On the other
>> hand, our experience is that coding and releasing of proper security
>> fixes typically requires about an hour of work -- very fast fix
>> turnaround is possible. Thus we think that full disclosure helps the
>> people who really care about security" (
>> http://openbsd.org/security.html ).
>> If the Qt Project does not intend on taking security issues seriously,
>> then we should remove security related classes from the project
>> (QSslSocket namely). Leaving them in is misleading.
>> d3fault
> d3fault
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

More information about the Development mailing list