On Thursday, 7 June 2018 02:19:26 PDT Giuseppe D'Angelo wrote: > Hi, > > On 07/06/18 05:13, Thiago Macieira wrote: > > As you may be aware, Intel is taking security VERY seriously and I cannot > > accept a project I contribute to having any worse policies. Our open > > source > > security team also evaluates each project's security policies and they > > have > > blacklisted quite a few open source projects from being used in Intel > > products, so I'd like to make sure Qt continues to comply with the > > stricter > > guidelines. > > By any chance, are these guidelines public?
No. I can summarise and paraphrase, though. It basically it boils down to "releases frequently and has a security team", which is fine for most projects. My gripe is with the third party content we have inside Qt, which throws a wrench into the gears. Intel products MUST use the latest release and follow all the security guidelines for all software it's using, so those bundled third-party hide releases and security notices that are relevant. This is what I want to discuss: how can we make sure we don't cause our users to use known- insecure software because we haven't updated our third-party content. For that reason, my current advice to ANY software using Qt is to never use any of the bundled third-party (always use system libraries). Note how this means "don't ever use the pre-built binaries from download.qt.io"... PS: I realise I am guilty of the thing I am accusing of too. TinyCBOR, just merged into 5.12, cannot be used as a system library as it stands. I had planned on having sufficient time to finish the API for 0.6 before the Qt 5.12 release, but it doesn't look like it. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
