[Development] [Announce] Security advisory: Freetype in Qt
Kevin Kofler
kevin.kofler at chello.at
Sat Jul 30 13:42:11 CEST 2022
Albert Astals Cid wrote:
> El dijous, 28 de juliol de 2022, a les 18:13:02 (CEST), Volker Hilsheimer
> va escriure:
>> The agreement is that KDE maintains patches like this for Qt 5 so that
>> they are available on top of the branches that are available to the Open
>> Source community.
>
>> https://dot.kde.org/2021/04/06/announcing-kdes-qt-5-patch-collection
>>
>> This might require back-porting relevant patches from the LTS branch, to
>> which relevant people from the KDE community should have access.
>
> The only patch we (KDE people) have is the one that was published with the
> advisory (the one that that that doesn't apply to the 5.15.6 sources).
>
> Not sure which other patches you expect us to have access to, but we
> don't.
It would also be legally problematic if the people maintaining the KDE
branches had access to the commercial LTS branches, because the commercial
LTS branches are NOT LGPL-licensed. And the KDE branches are not only about
security fixes, but also about backporting bugfixes, so basically ALL
commits to your commercial LTS branches would be candidates for the KDE
branches. So it would be very hard to prove that any bugfix backports KDE
does on their own are not derivative works of the LTS branch if the people
doing the backports had access to the LTS branch.
If I were you, I would NOT accept access to the LTS branch unless it comes
with a written blanket permission to relicense any and all of its contents
under the LGPL, and I strongly doubt that the Qt Company would be willing to
grant such a blanket permission because it would make the closed LTS branch
entirely moot.
Kevin Kofler
More information about the Development
mailing list