[Development] QtCS 2018: Third-party and security policy

Thiago Macieira thiago.macieira at intel.com
Fri Jun 8 22:10:12 CEST 2018

There's a session scheduled for Monday (unless it gets moved). Here's what I 
will propose.

0) Where not really necessary, delete the third-party code and force the use 
of a system library (see assimp discussion, can be applied to qtimageformats 

1) Third-party bundled should be opt-in, not opt-out. That is, the system 
library always takes precedence, if found.

2) Qt Project sources always ship the latest third-party sources available one 
week before the Qt release. The grace period is just so that we can release 
the RC that passed QA. Every feature release receives updates to the latest 
and greatest upstream; every patch release receives updates in the same patch-
series by upstream, if such exists. Release Management will put this as a P1 
requirement for the release, like the changelog, header check, BC check, etc.

3) Qt Project sources receive a patch for a security fix in a library that 
cannot be built as a system library. That's the case of the bundled FreeBSD 
sources or TinyCBOR or right now with Qt Creator's sqlite. We do this within 
one week of the fix, even if it is high Summer in Finland. All releases after 
this point will contain the patched version.

4) No patches are necessarily issued for fixes to libraries that can be used 
as system libraries. But all releases from that point on will be patched.

5) Qt Project binaries containing third-party code are re-released every time 
the code has a fix for a CVE that isn't in what we're shipping. We do this 
within one week of the fix, same conditions. Note this applies to the 
"gnuwin32" dir in qt5.git too.

6) Each third-party bundled library must have an official maintainer and one 
deputy who know how to update it and are tracking that library's security 
advisories. They'll both be added to the Qt Security Team. They have to inform 
the Security Team if they are going to be completely unavailable for more than 
a week. If both are going to be unavailable, they need to ensure there's 
someone who is tracking the library.
	Corollary: existing code that cannot meet this requirement will be 
	deleted from the Qt Project sources.

I know this is harsh, but I think it's necessary. Let's discuss on Monday to 
see if there's any solution I've missed.
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center

More information about the Development mailing list