[Development] Proposal: Change Qt's Security Policy to Full Disclosure

Samuel Rødal samuel.rodal at digia.com
Wed Oct 24 17:39:48 CEST 2012

On 10/24/2012 11:30 AM, d3fault wrote:
> On 10/24/12, Samuel Rødal <samuel.rodal at digia.com> wrote:
>> Lars and Charles both provided good lists of reasons in another part of
>> this thread for going with the policy of Responsible Disclosure. Clearly
>> you disagree on the weighting of the pros and cons, but it doesn't seem
>> like you're able to convince anyone else about the superiority of your
>> position. At what point will you accept that?
> dubtef' you're right, I completely missed Lars' response somehow :-/.
> I think I've logically proven a vulnerability exists within the Qt
> Security Policy. I think what I'm proposing is reasonable. It
> accommodates both responsible and full disclosure. Yes I can be an
> arsehole at times (triggered especially when I'm talked down to: "let
> us make important decisions for you" ... and basically this whole "you
> have to trust us with your security" mentality), but skipping over the
> argument completely and focusing only on my bad behavior is even worse
> than the bad behavior itself.

As far as I see it all the options have vulnerabilities, so it shouldn't 
be hard to prove that they exist within either approach.

If I get you correctly, you're saying that you want two security mailing 
lists, one open and one closed. Others have countered this by saying 
that the existing development mailing list will in practice act as the 
open one. In what way do you perceive these two options as being 
radically different?


More information about the Development mailing list