Re: [Development] Proposing QUIP-23: Qt-Security header in source code files

Thu, 11 Jul 2024 05:53:37 -0700 

Hi,

Yes, exactly that (untrusted input) and especially the parts where this is done 
by Qt (so that it is not even possible for the app to check etc). There might 
be some other ones as well, but main idea is to separate those few places where 
extra good care must be taken from the baseline (which is already good in 
regards to cybersecurity).

The QUIP draft should be extended with some text explaining both the criteria 
for being in these categories as well as what is indented to be done based on 
this.

Yours,

                                Tuukka

From: Development <development-boun...@qt-project.org> on behalf of Giuseppe 
D'Angelo via Development <development@qt-project.org>
Date: Thursday, 11. July 2024 at 14.30
To: development@qt-project.org <development@qt-project.org>
Subject: Re: [Development] Proposing QUIP-23: Qt-Security header in source code 
files
On 10/07/2024 19:08, Kai Köhne via Development wrote:
> That's a lot of questions. But a lot comes down to: Can we agree on
> parts of Qt that are more critical and, therefore, should be subject to
> additional security (in terms of approvers, coding standards, fuzzing
> ...)? And can we then document these parts so that this understanding is
> also available to users?
>
> Dimitrios's proposal could be the basis for this by starting on the
> source level. Let's develop a common vocabulary to talk about the
> criticality of a file or module so that we can focus our efforts there.
> The paradigm behind this is that we identify which parts of Qt deal with
> data from untrusted sources, which is where attackers will always start.

I think a necessary prerequisite for this endeavour is to clearly define
what kind of concerns are we talking about. Security is a very broad
concept. Are we specifically talking about code that deals with
untrusted input data?

Thank you,
--
Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, 
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.kdab.com%2F&data=05%7C02%7Ctuukka.turunen%40qt.io%7Cc55adea86d974122cf7508dca19cd03e%7C20d0b167794d448a9d01aaeccc1124ac%7C0%7C0%7C638562942090067288%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5%2BFTag20qXhGL%2Fe01yKy6UN7bfLxlPzL54cMSQiRWYo%3D&reserved=0<http://www.kdab.com/>
KDAB - Trusted Software Excellence

-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to