On Wednesday, 29 January 2020 00:52:00 PST Cristián Maureira-Fredes wrote: > Since TQtC has commercial costumers, we will internally fork > the latest bug fix release, and will start adding patches on > top of that on request of the costumers, but hey! all those > patches will be on Gerrit, so if they are important for your work, > you can just cherry pick them to your local Qt and re-build.
The big question is knowing *which* patches those are. I don't suppose TQtC will make it easy for the rest of us to find that out, since that would make it too easy for someone to maintain a fork and thus undermine the LTS business. > I think nobody at Qt will be so irresponsible of not notifying > security patches, and I'm certain we will work around this issue, > to maybe distributed in a better way for Open Source users. I can categorically say that security fixes *to* *Qt* will not be affected. Qt Project Security Policy has not changed. Security fixes to third-party components found inside Qt that have an equivalent -system-xxx option on configure are not covered by the Security Policy. We have not and do not plan to make Qt releases or publish security advisories about them. All users of Qt are required to directly monitor these dependencies and update as needed (I highly recommend ALWAYS using -system-xxx[1]). If TQtC wants to offer an additional service to their commercial users on doing that monitoring and updating, it's up to them. [1] note how the binary downloads don't use them due to DLL hell and other issues. I really recommend rebuilding everything from sources for your official releases. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel System Software Products _______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development