[Interest] Qt free software policy

Thiago Macieira thiago.macieira at intel.com
Mon Aug 19 08:29:58 CEST 2019 

On Sunday, 18 August 2019 17:16:17 PDT Roland Hughes wrote:
> >> To start with, there is no version of OpenSSL which is secure. Whoever
> >> is using Qt just because it makes using SSL easy(ier) shouldn't be using
> >> Qt anyway because they are releasing an insecure app they incorrectly
> >> feel is secure.
> > 
> > That's very disingenuous.
> 
> Honestly, it is a _completely_ accurate statement. Hopefully you had
> time to watch the "60 Minutes" report on "Pegasus" tonight.
> 
> https://www.cbsnews.com/video/ceo-of-israeli-spyware-maker-nso-on-fighting-t
> error-khashoggi-murder-and-saudi-arabia-60-minutes/

You're going from disingenuous to actively counterproductive.

We know OpenSSL has problems. My point is that all problems are fixed as soon 
as they are known. We can't prove mathematically that there are no problems, 
so the best we can do is fix as soon as possible and upgrade.

And there's no better option.

I never claimed that using OpenSSL will make your software magically secure. 
Flaws elsewhere in your software or in other software can be attack vectors 
and bypass the best security that OpenSSL can provide.

I'm saying that using an old version that has known security issues would be 
irresponsible (unless you mitigated them yourself).

> There are others out there which cut through SSL like a hot knife
> through warm butter.

Indeed. Almost all attacks against SSL have been side-channel attacks of one 
form or another. The crypto itself has never been broken.

But that's not a reason to throw your arms up and give up.

> You can create your own without an ocean of effort. I've explained _how_
> to do it several times in this group. JUST BE SURE TO READ THE PATENTS
> BEFORE YOU RELEASE ANYTHING.

Quick note: before reading any patents, consult your lawyer.

> > During Nokia days, there was a better alternative because the income
> > wasn't
> > tied to licensing. I don't think the only other source of income
> > (consulting) is sufficient to make it an option.
> 
> It could/would/should be but from what I've seen Qt Company has no idea
> how to do it. There are thousands of consulting companies scanning job
> boards and slapping Qt consultants like me into very profitable
> projects. I've been working with one (mostly) for close to a decade now.
> They keep opening new offices in new cities. Gotta pay that rent somehow.

I somehow think that 25 years of knowledge of the segment and close 
relationship with very big consulting companies like KDAB and ICS would have 
told them if it was enough.

So I think you're wrong. You're probably underestimating how much money they 
could make off consulting alone.

> Getting back the actual topic of this particular thread though, besides
> the relentless ex-wife grubbing for alimony commercial licensing
> situation, the mish-mash of OpenSource licensing is really killing Qt as
> an option at companies who don't have an in-house legal department. Most
> who talk to me about it take one look at the pages which have been
> linked in this thread and say "that's it, we'll use Electron or
> insert-competitor-here."

I wouldn't mind a simpler. clearer model.

> Most everybody wants one single license to read. At 2 they start tuning
> out, at 3 they quit.

Right,

PS: Electron, containing Chromium, has FAR MORE licenses inside than Qt. 
Including a copy of FFMPEG, which contains multimedia codecs that may be 
patented.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products

More information about the Interest mailing list