On Sun, Oct 7, 2012 at 10:00 PM, Thiago Macieira <thiago.macie...@intel.com> wrote: > For obvious reasons, the security list is not public and is not open for > subscription from other people. If you feel you have a reason to be in the > security mailing list, please mail us there and ask to be subscribed. We're > looking for people who with the following skills: >
What are those obvious reasons that trump transparency? Full disclosure security is the best form of security. You're talking about an official/internal 'team', whereas I'm talking about a mailing list. The 'team' would be the only ones with write access to Security-announce... but everyone should be encouraged to contribute to Security-discussion. Everything should be done transparently... else what is Open Governance but a marketing buzz-word? Note: discussions between the security team members should take place entirely on Security-discussion (allowing anybody to join in)... up until they confirm the vuln and post it on Security-announce. > > 1) can provide advice in security-related matters, such as fixes to issues > 2) can get around Qt's source code (knows where to find things) > 3) can write code and unit tests, submit to the Qt repository > Can you add me then? I mostly just want to read it, but I might be able to help somewhere. ^^See the problem here? Privileged information. Who knows what major security holes are sitting in secur...@qt-project.org while the rest of us sit around with our finger's crossed. > > As for the CRIME vulnerability, we had it fixed before the details were made > public (by way of guessing what the issue was). The problem happened after the > fix, in getting it published. Yea some vague IRC discussions were happening between a few developers, but it took a week+ before an announcement and patch release was made. A post to Security-announce should have been made immediately after it was confirmed (some would argue that the announcement should wait until there's a fix, but I don't). d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development