Hi, Does moving the information closer to the code make sense? Most of the information provided in the wiki is already part of the qt_attribution.json files that we use to generate the official documentation about third party modules. What’s missing is the ‘process untrusted content’ flag, which is easy to add:
https://codereview.qt-project.org/c/meta/quips/+/461983 Tell me what you think. Regards kai From: Development <development-boun...@qt-project.org> On Behalf Of Volker Hilsheimer via Development Sent: Friday, January 20, 2023 9:58 AM To: development@qt-project.org Subject: Re: [Development] Security-relevant 3rd party components bundled with Qt On 1 Nov 2022, at 09:55, Volker Hilsheimer via Development <development@qt-project.org<mailto:development@qt-project.org>> wrote: On 20 Sep 2022, at 14:47, Volker Hilsheimer <volker.hilshei...@qt.io<mailto:volker.hilshei...@qt.io>> wrote: […] Those components should then be watched closer, and always get updated to the latest version, perhaps even for patch releases. To that end, I’ve started to collect a list of such components on https://wiki.qt.io/Third_Party_Code_in_Qt and would appreciate if you could have a look and add missing components to that page, esp if you are in charge of some of them. I’ve included a column that describes what kind of patches we apply when we update the 3rd party code (and this is perhaps a good opportunity to see if all of those are still necessary). Hi again, Thanks for populating that page with information about 3rd party components processing untrusted content. As a next step, could those of you who are upgrading such components as part of the release process, please provide links to the respective upstream, and instructions on what is involved in the upgrading of the bundled sources? Hi, That page still misses information for a lot of 3rd party modules about where to find the upstream and the update instructions. That makes it very difficult for our release team to follow up on the 3rd party update. Third Party Code in Qt - Qt Wiki<https://wiki.qt.io/Third_Party_Code_in_Qt> wiki.qt.io<https://wiki.qt.io/Third_Party_Code_in_Qt> [favicon.ico]<https://wiki.qt.io/Third_Party_Code_in_Qt> We need information about QtNetwork: - public suffix list QtGui: - harfbuzz-ng - libpng, libjpeg - sqlite Qt Imageformats: - libwebp Qt Multimedia - ffmpeg - eigen - pffft - resonance audio Qt Quick3D - assimp - tinyexr Thanks, Volker
-- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
