Hi,

Some of the 3rd party components we bundle in Qt are directly involved in code 
paths that are designed to process untrusted data. Following up on the 
situation with freetype [1] and the discussion we had during summer [2], it 
would help know which of the 3rd party components we bundle today have a 
security relevant surface. All components process data, but many only process 
data that the application developer has full control over (for example, we 
explicitly state that you should not load any untrusted QML code or content 
[3]). Those that are designed to process data from anywhere are the ones that 
are most interesting here.

Those components should then be watched closer, and always get updated to the 
latest version, perhaps even for patch releases. To that end, I’ve started to 
collect a list of such components on

https://wiki.qt.io/Third_Party_Code_in_Qt

and would appreciate if you could have a look and add missing components to 
that page, esp if you are in charge of some of them. I’ve included a column 
that describes what kind of patches we apply when we update the 3rd party code 
(and this is perhaps a good opportunity to see if all of those are still 
necessary).

In the line of the previous discussion [1], we can then start investigating our 
options for those 3rd party components; for instance, can we build them some of 
them as shared libraries so that they can be easily updated? On which platforms 
are some of them available as system libraries or SDKs, and do we test that 
those work in CI?


Thanks,
Volker

PS: Given the nature of Qt WebEngine, we can probably skip that particular 
repository in this exercise.

[1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html
[2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html
[3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html

_______________________________________________
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to