[Interest] Qt free software policy

Thiago Macieira thiago.macieira at intel.com
Wed Aug 14 22:28:17 CEST 2019


On Wednesday, 14 August 2019 13:18:12 PDT André Pönitz wrote:
> On Wed, Aug 14, 2019 at 12:57:27PM -0700, Thiago Macieira wrote:
> > On Wednesday, 14 August 2019 12:09:02 PDT Roland Hughes wrote:
> > > If you do not need the latest bells and whistles, drop back to Qt 4.8
> > 
> > No, don't. That is not receiving security fixes.
> 
> To make this a valid line of reasoning you would need to provide
> an overview on what kind on issues have been found and fixed, what
> issues have been introduced, found and fixed, and estimates on
> what kind of issues have not been found so far, and perhaps even
> on the impact those issues have on typical usage patterns.

We get a division by zero. So I can claim 100% of the issues found weren't 
fixed and be correct :-)

More seriously, the fact that no one is even checking to see if there are or 
have been any issues is sufficient reason to declare insecure.

Do not use insecure software.

Stop using Qt 4.8 right now.
Stop using Python2 by the end of the year.
Stop using OpenSSL 1.0 by the end of year.

PS: Qt 5.12 will switch to OpenSSL 1.1 in the binary builds.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products





More information about the Interest mailing list