Hi,

Does moving the information closer to the code make sense? Most of the 
information provided in the wiki is already part of the qt_attribution.json 
files that we use to generate the official documentation about third party 
modules. What’s missing is the ‘process untrusted content’ flag, which is easy 
to add:

https://codereview.qt-project.org/c/meta/quips/+/461983

Tell me what you think.

Regards

kai

From: Development <development-boun...@qt-project.org> On Behalf Of Volker 
Hilsheimer via Development
Sent: Friday, January 20, 2023 9:58 AM
To: development@qt-project.org
Subject: Re: [Development] Security-relevant 3rd party components bundled with 
Qt

On 1 Nov 2022, at 09:55, Volker Hilsheimer via Development 
<development@qt-project.org<mailto:development@qt-project.org>> wrote:

On 20 Sep 2022, at 14:47, Volker Hilsheimer 
<volker.hilshei...@qt.io<mailto:volker.hilshei...@qt.io>> wrote:
[…]

Those components should then be watched closer, and always get updated to the 
latest version, perhaps even for patch releases. To that end, I’ve started to 
collect a list of such components on

https://wiki.qt.io/Third_Party_Code_in_Qt

and would appreciate if you could have a look and add missing components to 
that page, esp if you are in charge of some of them. I’ve included a column 
that describes what kind of patches we apply when we update the 3rd party code 
(and this is perhaps a good opportunity to see if all of those are still 
necessary).


Hi again,


Thanks for populating that page with information about 3rd party components 
processing untrusted content.

As a next step, could those of you who are upgrading such components as part of 
the release process, please provide links to the respective upstream, and 
instructions on what is involved in the upgrading of the bundled sources?

Hi,

That page still misses information for a lot of 3rd party modules about where 
to find the upstream and the update instructions. That makes it very difficult 
for our release team to follow up on the 3rd party update.

Third Party Code in Qt - Qt Wiki<https://wiki.qt.io/Third_Party_Code_in_Qt>
wiki.qt.io<https://wiki.qt.io/Third_Party_Code_in_Qt>
[favicon.ico]<https://wiki.qt.io/Third_Party_Code_in_Qt>

We need information about

QtNetwork:
- public suffix list

QtGui:
- harfbuzz-ng
- libpng, libjpeg
- sqlite

Qt Imageformats:
- libwebp

Qt Multimedia
- ffmpeg
- eigen
- pffft
- resonance audio

Qt Quick3D
- assimp
- tinyexr


Thanks,
Volker

-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to