On domingo, 7 de outubro de 2012 21.48.22, d3fault wrote: > > If you find that it's a security issue, contact us at > > [email protected] so we can deal with it. > > Can we get a Security mailing list that uses the email address > provided above so as to keep the process more transparent? Qt's > response time to the CRIME vulnerability is/was pathetic (I am > partially to blame for that -- didn't report it thinking it would be > fixed upstream in SSL itself). > > Or perhaps two security related lists: Security-discussion (for a > thread like this) and Security-announce (for confirmed vulns, perhaps > read-only to the public)?
For obvious reasons, the security list is not public and is not open for subscription from other people. If you feel you have a reason to be in the security mailing list, please mail us there and ask to be subscribed. We're looking for people who with the following skills: 1) can provide advice in security-related matters, such as fixes to issues 2) can get around Qt's source code (knows where to find things) 3) can write code and unit tests, submit to the Qt repository Even then, we want to keep the team small. The objective of the security mailing list is to assess issues being reported and determine whether or not an urgent fix is required. As for the CRIME vulnerability, we had it fixed before the details were made public (by way of guessing what the issue was). The problem happened after the fix, in getting it published. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
