[Development] [Announce] Security advisory: Freetype in Qt

Kevin Kofler kevin.kofler at chello.at
Sat Jul 30 13:42:11 CEST 2022

Albert Astals Cid wrote:

> El dijous, 28 de juliol de 2022, a les 18:13:02 (CEST), Volker Hilsheimer
> va escriure:
>> The agreement is that KDE maintains patches like this for Qt 5 so that
>> they are available on top of the branches that are available to the Open
>> Source community.
>> https://dot.kde.org/2021/04/06/announcing-kdes-qt-5-patch-collection
>> This might require back-porting relevant patches from the LTS branch, to
>> which relevant people from the KDE community should have access.
> The only patch we (KDE people) have is the one that was published with the
> advisory (the one that that that doesn't apply to the 5.15.6 sources).
> Not sure which other patches you expect us to have access to, but we
> don't.

It would also be legally problematic if the people maintaining the KDE 
branches had access to the commercial LTS branches, because the commercial 
LTS branches are NOT LGPL-licensed. And the KDE branches are not only about 
security fixes, but also about backporting bugfixes, so basically ALL 
commits to your commercial LTS branches would be candidates for the KDE 
branches. So it would be very hard to prove that any bugfix backports KDE 
does on their own are not derivative works of the LTS branch if the people 
doing the backports had access to the LTS branch.

If I were you, I would NOT accept access to the LTS branch unless it comes 
with a written blanket permission to relicense any and all of its contents 
under the LGPL, and I strongly doubt that the Qt Company would be willing to 
grant such a blanket permission because it would make the closed LTS branch 
entirely moot.

        Kevin Kofler

More information about the Development mailing list