[Development] Pinging Marco Bubke for QTCREATORBUG-20401 - Allow to build with system's SQLite
Thiago Macieira
thiago.macieira at intel.com
Thu Jun 7 18:01:54 CEST 2018
On Thursday, 7 June 2018 02:19:26 PDT Giuseppe D'Angelo wrote:
> Hi,
>
> On 07/06/18 05:13, Thiago Macieira wrote:
> > As you may be aware, Intel is taking security VERY seriously and I cannot
> > accept a project I contribute to having any worse policies. Our open
> > source
> > security team also evaluates each project's security policies and they
> > have
> > blacklisted quite a few open source projects from being used in Intel
> > products, so I'd like to make sure Qt continues to comply with the
> > stricter
> > guidelines.
>
> By any chance, are these guidelines public?
No. I can summarise and paraphrase, though. It basically it boils down to
"releases frequently and has a security team", which is fine for most
projects.
My gripe is with the third party content we have inside Qt, which throws a
wrench into the gears. Intel products MUST use the latest release and follow
all the security guidelines for all software it's using, so those bundled
third-party hide releases and security notices that are relevant. This is what
I want to discuss: how can we make sure we don't cause our users to use known-
insecure software because we haven't updated our third-party content.
For that reason, my current advice to ANY software using Qt is to never use
any of the bundled third-party (always use system libraries). Note how this
means "don't ever use the pre-built binaries from download.qt.io"...
PS: I realise I am guilty of the thing I am accusing of too. TinyCBOR, just
merged into 5.12, cannot be used as a system library as it stands. I had
planned on having sufficient time to finish the API for 0.6 before the Qt 5.12
release, but it doesn't look like it.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Development
mailing list