On 8/18/19 5:00 AM, Thiago Macieira wrote:
No, don't. That is not receiving security fixes.
That's exactly what is happening in many places and it should be done. A
number of shops have their own forks of 4.8, some have shared forks.
And that's great, that's their right under open source licences and I'm glad
they're exercising it. But the most important fact in your entire email is
"they have shared forks". That means there is active development between some
companies, who fix the issues that are important to them, including any
security ones that can exist.
In many/most cases they are shared across products under the same
mega-parent corporation or were until some units got spun-out or sold off.
To start with, there is no version of OpenSSL which is secure. Whoever
is using Qt just because it makes using SSL easy(ier) shouldn't be using
Qt anyway because they are releasing an insecure app they incorrectly
feel is secure.
That's very disingenuous.
Honestly, it is a _completely_ accurate statement. Hopefully you had
time to watch the "60 Minutes" report on "Pegasus" tonight.
https://www.cbsnews.com/video/ceo-of-israeli-spyware-maker-nso-on-fighting-terror-khashoggi-murder-and-saudi-arabia-60-minutes/
This is one of many, but is the most widely known. It doesn't need super
computers, just a cheap-ass PC running as a server on the Internet. It
can pull and decrypt _all_ of the data on any current idiot phone.
Admittedly this one typically requires a "link." Please pay close
attention when watching the "60 Minutes" piece. Most of you have
probably received those "DHL You have a package" emails.
There are others out there which cut through SSL like a hot knife
through warm butter.
It is in the best interest of those using the penetration software to
appear on every medium possible and tout the "security" of Secure Socket
Layer. When one repeats a lie often enough even otherwise intelligent
people will start to believe it.
There's very little software that can be proven by mathematical means that it
is secure beyond a doubt. Complex software like Qt, OpenSSL, Linux kernel, and
99.999% of all the software can't. Instead, security is practiced --among
other things-- by quickly fixing what is known, when it is known, Under those
guidelines, the last version of OpenSSL is secure*as far as we know it*.
More importantly, any past version is*known* to be have security issues.
Whether those issues affect your product or not, only you can determine. So,
yes, removing networking capabilities mitigates quite a lot.
Actually there is quite a bit of software which is "proven" by the "Holy
Trinity" to be completely unhackable. I don't remember the names of the
3 companies but it's the same 3 companies using both mathematical and
black hat physical attempts both with and without viewing source. You
have to be blessed by all 3. This is the type of software securing the
U.S. Passport system and at least one personal VPN.
It is not OpenSource, it is patented. At least all of the ones I've been
exposed to are. Getting a blessing from the "Holy Trinity" is a long way
from cheap. Lots of companies pay money and get shredded.
You can create your own without an ocean of effort. I've explained _how_
to do it several times in this group. JUST BE SURE TO READ THE PATENTS
BEFORE YOU RELEASE ANYTHING.
Pretty much everyone should be falling back to Qt 4.8 and staying there
until this ex-wife alimony licensing mentality gives Qt yet another new
owner. 99.9999999% of all companies refuse to pay royalties. No,
negotiating an up-front buy out for a license isn't paying royalties.
That's what my last customer did, but it was touch and go. They were
ready to kick Qt to the curb despite all of the proof of concept work
done with it.
You may want to cut back on your exaggeration. You're off reality by a few
orders of magnitude.
[99.9999999% = 1 in one billion, my 99.999% is only 1 in ten thousand]
Before either of us can claim any high ground there we need to define
"companies." I'm including every 12 year old Script Kiddie who hurls a
completely insecure idiot phone app up to any app store which will let
them. They are using Electron, Flutter and a rash of other non-royalty
based tools. Okay, I probably should have left the last 9 off the end so
it was one in every hundred million.
While we are on the royalty topic I'm fielding an increasing number of
contacts from companies looking for Qt consultants willing to port
projects OFF Qt because of the licensing.
That's a shame.
For me, I can only hope that the Qt Company knows what it is doing. I don't
doubt you're right that there are a lot of companies that don't want to pay
according to the Qt Company's fee schedule. There are two questions that they
need to answer:
1) does this fee schedule allow for growth of their business, engineering
team and ecosystem?
2) is there a better, viable alternative?
During Nokia days, there was a better alternative because the income wasn't
tied to licensing. I don't think the only other source of income (consulting)
is sufficient to make it an option.
It could/would/should be but from what I've seen Qt Company has no idea
how to do it. There are thousands of consulting companies scanning job
boards and slapping Qt consultants like me into very profitable
projects. I've been working with one (mostly) for close to a decade now.
They keep opening new offices in new cities. Gotta pay that rent somehow.
They have to follow that model, not just "hope" someone calls with a
project for them.
It's far too late for them to follow the Synergex model.
https://www.synergex.com/
Want to know what the basis of the Synergy tool set is? DIBOL. DIgital
Business Oriented Language created by Digital Equipment Corporation some
time before the late 1970s.
I do DIBOL work once in a blue moon. Honest to God I love the language,
at least when it is running on OpenVMS using real (not the ones
available in Linux repos) VT-100 emulators. If you are using indexed
files it is fantabulous.
The vast majority were (as of about 2 years ago) all running systems
written with DIBOL. There are a lot of other places as well using DIBOL
and the graphical version Synergex now has. Why don't I do more DIBOL
projects? Because Synergex has managed to lock up the consulting market.
Most/many/possibly everyone but me when it comes to DIBOL consultants is
under some form of contract to them. I don't know the specifics and
don't care enough about it to learn them. It all boils down to only the
companies with a pure DIBOL/VMS system have the ability to get honked
off at Synergex and toss a contract over to a regular pimp to find some
old guy like me. Everybody else on every other platform has little
choice. I don't know of any Synergex certified consultants which are
operating freelance, at least openly. There might be a few here and
there, but that cannot explain the continued development of Synergy and
the growth of Synergex.
Synergex has some really big customers too. CVS has/had one or more
critical systems written with it. Whichever high end hotel chain has
their headquarters (or at least all software development) located in
Florida has there entire reservation and I believe chain management
written in it. I want to say it is Hyatt or Windham, but don't quote that.
They need to quit chasing the Script Kiddie market with QML and purchase
one of the handful of pimps specializing in embedded systems work,
anoint them as the only place to get consultants blessed by Qt, pointing
all customers there, then just take the skim off the top. Today, for the
firms which don't engage in visa fraud and exploit illegals, that is a
10-25% margin. Back in the 1980s it used to be 100-150% (I kid you not).
Getting back the actual topic of this particular thread though, besides
the relentless ex-wife grubbing for alimony commercial licensing
situation, the mish-mash of OpenSource licensing is really killing Qt as
an option at companies who don't have an in-house legal department. Most
who talk to me about it take one look at the pages which have been
linked in this thread and say "that's it, we'll use Electron or
insert-competitor-here."
Most everybody wants one single license to read. At 2 they start tuning
out, at 3 they quit.
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
