Notes from the session are in https://wiki.qt.io/Qt_Contributor_Summit_2019_-_Security_Policy
See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/ 278819 * Make the security core team a very small ** Must be Qt Project Approver * Subscribed people to the security list is larger * Our security processes already include: ** "Four eyes" review process (no one can introduce their own changes) ** Static analyses (Giuseppe uploads every Sunday) ** Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details) ** Update third-party components every release * Third-party component updating: ** For Qt5, remain as is, with manual processes ** For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too ** We may need to patch when there are fixes from third-parties that are not in any release yet * Proposal: third-party support bundle ** For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs ** Updates whenever there are new releases for those third-parties and when there are fixes necessary ** Shared among all Qt versions ** Release announcements include the vulnerabilities fixed ** Time frame: probably for 6.0 * Proposal: core security team monitors third party CVE feeds ** Update the bundled sources == The Core Security Team == The '''Core''' team is responsible for: * Moderating emails to [email protected] * Triaging incoming reports, removing those that aren't security issues * Informing full security team (includes all maintainers) * Determining the responsible person for fixing the issue * Security issues are initially P0, but can be lowered after investigation * When confirmed as a security issue, Core Security Team obtains CVE number * Ensuring assignee for fix is working on it Who is on this team? Volker will discuss with the Qt Company management and report. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel System Software Products _______________________________________________ Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
