[Development] Iterations on QUIP-23 - "Qt-Security header in source code files"
Volker Hilsheimer
volker.hilsheimer at qt.io
Tue Feb 24 10:10:49 CET 2026
> On 2 Apr 2025, at 13:51, Volker Hilsheimer via Development <development at qt-project.org> wrote:
>
> Hi all,
>
>
> we have had a few rounds in which we reviewed code in various Qt modules and added security tags as per https://contribute.qt-project.org/quips/23
>
> As expected, we learned a few things in the process, and are preparing a few improvements and clarifications. One of the proposals is that we should always tag header and sources files the same way:
>
> https://codereview.qt-project.org/c/meta/quips/+/630766
>
> Rationale as per the change, but see discussion as well, and contribute with your perspective.
>
> I expect that we’ll see a few more clarifications, both normative and editorial, coming to that QUIP as we work our way through the code base. We might not start a new mailing list thread for each of those changes, so if you care about this process, it might be a good idea to configure your gerrit notifications to make you aware of incoming patches.
>
>
> Cheers,
> Volker
While the particular change above never got approved, we have now further developed our process and exercised our thread analysis and risk assessment muscles, and based on that I’m proposing the following update:
https://codereview.qt-project.org/c/meta/quips/+/713587
TL;DR:
* all sources that are part of the framework need a security classification
* adopt established terminology from thread modeling
* clearer guidance on which files are likely to qualify as critical
* multiple reason tags might be given for any file, in a comma-separated list
Volker
More information about the Development
mailing list