[Development] QtCS2019 Notes from "Evolving the Qt Security Policy" session

Thiago Macieira thiago.macieira at intel.com
Thu Nov 21 12:05:51 CET 2019

Notes from the session are in


See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/

* Make the security core team a very small
** Must be Qt Project Approver
* Subscribed people to the security list is larger
* Our security processes already include:
** "Four eyes" review process (no one can introduce their own changes)
** Static analyses (Giuseppe uploads every Sunday)
** Fuzzing is done for some modules that are designed to consume untrusted 
data (Robert had a session on this and will have more details)
** Update third-party components every release
* Third-party component updating:
** For Qt5, remain as is, with manual processes
** For Qt 6, with cmake, upgrading should be easy (single command), so 
customers can do it too
** We may need to patch when there are fixes from third-parties that are not 
in any release yet
* Proposal: third-party support bundle
** For all binary builds, create a bundle of all third-party content built as 
regular shared libraries/DLLs
** Updates whenever there are new releases for those third-parties and when 
there are fixes necessary
** Shared among all Qt versions
** Release announcements include the vulnerabilities fixed
** Time frame: probably for 6.0
* Proposal: core security team monitors third party CVE feeds
** Update the bundled sources

== The Core Security Team ==
The '''Core''' team is responsible for:
* Moderating emails to security at qt-project.org
* Triaging incoming reports, removing those that aren't security issues
* Informing full security team (includes all maintainers)
* Determining the responsible person for fixing the issue
* Security issues are initially P0, but can be lowered after investigation
* When confirmed as a security issue, Core Security Team obtains CVE number
* Ensuring assignee for fix is working on it

Who is on this team? Volker will discuss with the Qt Company management and 

Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products

More information about the Development mailing list