[Development] Proposing QUIP-23: Qt-Security header in source code files

Thu Jul 11 14:53:05 CEST 2024

Hi,

Yes, exactly that (untrusted input) and especially the parts where this is done by Qt (so that it is not even possible for the app to check etc). There might be some other ones as well, but main idea is to separate those few places where extra good care must be taken from the baseline (which is already good in regards to cybersecurity).

The QUIP draft should be extended with some text explaining both the criteria for being in these categories as well as what is indented to be done based on this.

Yours,

                                Tuukka

From: Development <development-bounces at qt-project.org> on behalf of Giuseppe D'Angelo via Development <development at qt-project.org>
Date: Thursday, 11. July 2024 at 14.30
To: development at qt-project.org <development at qt-project.org>
Subject: Re: [Development] Proposing QUIP-23: Qt-Security header in source code files
On 10/07/2024 19:08, Kai Köhne via Development wrote:
> That's a lot of questions. But a lot comes down to: Can we agree on
> parts of Qt that are more critical and, therefore, should be subject to
> additional security (in terms of approvers, coding standards, fuzzing
> ...)? And can we then document these parts so that this understanding is
> also available to users?
>
> Dimitrios's proposal could be the basis for this by starting on the
> source level. Let's develop a common vocabulary to talk about the
> criticality of a file or module so that we can focus our efforts there.
> The paradigm behind this is that we identify which parts of Qt deal with
> data from untrusted sources, which is where attackers will always start.

I think a necessary prerequisite for this endeavour is to clearly define
what kind of concerns are we talking about. Security is a very broad
concept. Are we specifically talking about code that deals with
untrusted input data?

Thank you,
--
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.kdab.com%2F&data=05%7C02%7Ctuukka.turunen%40qt.io%7Cc55adea86d974122cf7508dca19cd03e%7C20d0b167794d448a9d01aaeccc1124ac%7C0%7C0%7C638562942090067288%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5%2BFTag20qXhGL%2Fe01yKy6UN7bfLxlPzL54cMSQiRWYo%3D&reserved=0<http://www.kdab.com/>
KDAB - Trusted Software Excellence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20240711/d6e6ccd5/attachment-0001.htm>