[Development] Security-relevant 3rd party components bundled with Qt

Volker Hilsheimer volker.hilsheimer at qt.io
Fri Feb 24 17:16:12 CET 2023


That’s an excellent idea indeed.

And the attribution file already able to point at the upstream (albeit optional; I guess we can’t make it mandatory), and a comment entry that could in turn include information about how to update things, makes that a pretty complete container of all relevant information.

Volker


On 22 Feb 2023, at 12:21, Kai Köhne <Kai.Koehne at qt.io> wrote:

Hi,

Does moving the information closer to the code make sense? Most of the information provided in the wiki is already part of the qt_attribution.json files that we use to generate the official documentation about third party modules. What’s missing is the ‘process untrusted content’ flag, which is easy to add:

https://codereview.qt-project.org/c/meta/quips/+/461983

Tell me what you think.

Regards

kai

From: Development <development-bounces at qt-project.org<mailto:development-bounces at qt-project.org>> On Behalf Of Volker Hilsheimer via Development
Sent: Friday, January 20, 2023 9:58 AM
To: development at qt-project.org<mailto:development at qt-project.org>
Subject: Re: [Development] Security-relevant 3rd party components bundled with Qt

On 1 Nov 2022, at 09:55, Volker Hilsheimer via Development <development at qt-project.org<mailto:development at qt-project.org>> wrote:

On 20 Sep 2022, at 14:47, Volker Hilsheimer <volker.hilsheimer at qt.io<mailto:volker.hilsheimer at qt.io>> wrote:
[…]

Those components should then be watched closer, and always get updated to the latest version, perhaps even for patch releases. To that end, I’ve started to collect a list of such components on

https://wiki.qt.io/Third_Party_Code_in_Qt

and would appreciate if you could have a look and add missing components to that page, esp if you are in charge of some of them. I’ve included a column that describes what kind of patches we apply when we update the 3rd party code (and this is perhaps a good opportunity to see if all of those are still necessary).


Hi again,


Thanks for populating that page with information about 3rd party components processing untrusted content.

As a next step, could those of you who are upgrading such components as part of the release process, please provide links to the respective upstream, and instructions on what is involved in the upgrading of the bundled sources?

Hi,

That page still misses information for a lot of 3rd party modules about where to find the upstream and the update instructions. That makes it very difficult for our release team to follow up on the 3rd party update.

Third Party Code in Qt - Qt Wiki<https://wiki.qt.io/Third_Party_Code_in_Qt>
wiki.qt.io<https://wiki.qt.io/Third_Party_Code_in_Qt>
<image001.png><https://wiki.qt.io/Third_Party_Code_in_Qt>

We need information about

QtNetwork:
- public suffix list

QtGui:
- harfbuzz-ng
- libpng, libjpeg
- sqlite

Qt Imageformats:
- libwebp

Qt Multimedia
- ffmpeg
- eigen
- pffft
- resonance audio

Qt Quick3D
- assimp
- tinyexr


Thanks,
Volker


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20230224/cb01b6e8/attachment-0001.htm>


More information about the Development mailing list