[Development] Qt online SDK security problems

Bogdan Vatra bogdan.vatra at kdab.com
Thu Apr 18 13:18:26 CEST 2019


În ziua de joi, 18 aprilie 2019, la 13:54:15 EEST, André Pönitz a scris:
> On Thu, Apr 18, 2019 at 10:24:24AM +0300, BogDan Vatra via Development
> 
> wrote:
> > Hi,
> > 
> >   Long time ago the Qt online SDK used to help the users to use the
> >   latest and the safest Qt version all the time.
> 
> There is no latest *and* safest version of any non-trivial code base
> that's under active feature development no matter what Google,
> Microsoft, Apple, ("long time ago" Nokia) say.
> 
> The approach to always update is popular because it's an easy way to
> bundle items/features/changes/services that users otherwise might not
> agree with, with "security" fixes that people have been trained to
> accept.
> 
> When you mix feature development and security fixes you trade some known
> problems which you can evaluate whether they affect or to not affect
> your particular use case for a bag of unknown new problems which you
> cannot evaluate since you do not know them.
> 
> That's security by obscurity at best.

IMHO you approach is pretty wrong. 
First and foremost, the patch releases usually do not contain any new 
features. They are containing only bug and security fixes.
Why should we spend (waste?) time to fix bugs and security issues and to 
package new Qt patch versions if these versions are so evil and nobody wants 
to use them?

Even I'm repeating myself the third time in this thread, I'll do it one more 
time, maybe now it's more clear:
I'm not asking to have **only** the latest Qt version as it was long time ago. 
I'm asking to have a choice, if I want to use the latest version, the Qt 
online installer should help me. If I want to install a specific version, fine, 
I'll install that version and the installer will not update it anymore.

Cheers,
BogDan.




More information about the Development mailing list