I proposed it, therefore if nobody disagrees, I get consensus and the decision goes into effect. I'll quote myself in an earlier post to actually give this thread some substance:
On Thu, Oct 18, 2012 at 3:40 PM, d3fault <d3faultdot...@gmail.com> wrote: > tl;dr: > Open Project > Closed Security > > The officially endorsed method for reporting security issues for Qt is > to send them to secur...@qt-project.org , which is a private mailing > list. I have a problem with that. > > "Experience has shown that 'security through obscurity' does not work. > Public disclosure allows for more rapid and better solutions to > security problems" ( http://www.debian.org/security/ ). > > "Security information moves very fast in cracker circles. On the other > hand, our experience is that coding and releasing of proper security > fixes typically requires about an hour of work -- very fast fix > turnaround is possible. Thus we think that full disclosure helps the > people who really care about security" ( > http://openbsd.org/security.html ). > > If the Qt Project does not intend on taking security issues seriously, > then we should remove security related classes from the project > (QSslSocket namely). Leaving them in is misleading. > > d3fault d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
