[Development] Pinging Marco Bubke for QTCREATORBUG-20401 - Allow to build with system's SQLite

Thiago Macieira thiago.macieira at intel.com
Thu Jun 7 18:01:54 CEST 2018


On Thursday, 7 June 2018 02:19:26 PDT Giuseppe D'Angelo wrote:
> Hi,
> 
> On 07/06/18 05:13, Thiago Macieira wrote:
> > As you may be aware, Intel is taking security VERY seriously and I cannot
> > accept a project I contribute to having any worse policies. Our open
> > source
> > security team also evaluates each project's security policies and they
> > have
> > blacklisted quite a few open source projects from being used in Intel
> > products, so I'd like to make sure Qt continues to comply with the
> > stricter
> > guidelines.
> 
> By any chance, are these guidelines public?

No. I can summarise and paraphrase, though. It basically it boils down to 
"releases frequently and has a security team", which is fine for most 
projects.

My gripe is with the third party content we have inside Qt, which throws a 
wrench into the gears. Intel products MUST use the latest release and follow 
all the security guidelines for all software it's using, so those bundled 
third-party hide releases and security notices that are relevant. This is what 
I want to discuss: how can we make sure we don't cause our users to use known-
insecure software because we haven't updated our third-party content.

For that reason, my current advice to ANY software using Qt is to never use 
any of the bundled third-party (always use system libraries). Note how this 
means "don't ever use the pre-built binaries from download.qt.io"...

PS: I realise I am guilty of the thing I am accusing of too. TinyCBOR, just 
merged into 5.12, cannot be used as a system library as it stands. I had 
planned on having sufficient time to finish the API for 0.6 before the Qt 5.12 
release, but it doesn't look like it.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center






More information about the Development mailing list