[Development] QtCS 2018: Third-party and security policy
Thiago Macieira
thiago.macieira at intel.com
Sat Jun 9 23:02:56 CEST 2018
On Saturday, 9 June 2018 16:38:46 IST EXT Marco Bubke wrote:
> So what about some embedded scenario. What is a system library in that
> sense. If people ship their own binary it's not part of Qt anymore. So it's
> their problem but for the user it's still a problem and by a high
> probability you introduced an out dated library. Would it not be better to
> ship it as part of Qt in that context to make the life of the embedded
> developer easier?
We'll talk about it on Monday, as this is also the case for TinyCBOR. I
designed it so it would be #include'd in other sources.
> > 3) Qt Project sources receive a patch for a security fix in a library that
> > cannot be built as a system library. That's the case of the bundled
> > FreeBSD
> > sources or TinyCBOR or right now with Qt Creator's sqlite. We do this
> > within one week of the fix, even if it is high Summer in Finland. All
> > releases after this point will contain the patched version.
>
> That is a security fix? If there is an securifix for Sqlite but this not
> applicable for Qt Creator, should any action be taken? Actually it is hard
> to imagine any security related problem in this context. We should follow
> here a reasonable instead of a fundamental approach. In that sense we
> should distinguish between different Qt Project software packages.
Good points for discussion. I'll forego giving my comments now.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Development
mailing list