> On 7 Oct 2022, at 22:08, Robert Löhning via Development > <development@qt-project.org> wrote: > > Am 20.09.22 um 14:47 schrieb Volker Hilsheimer: >> Hi, >> Some of the 3rd party components we bundle in Qt are directly involved in >> code paths that are designed to process untrusted data. Following up on the >> situation with freetype [1] and the discussion we had during summer [2], it >> would help know which of the 3rd party components we bundle today have a >> security relevant surface. All components process data, but many only >> process data that the application developer has full control over (for >> example, we explicitly state that you should not load any untrusted QML code >> or content [3]). Those that are designed to process data from anywhere are >> the ones that are most interesting here. >> Those components should then be watched closer, and always get updated to >> the latest version, perhaps even for patch releases. To that end, I’ve >> started to collect a list of such components on >> https://wiki.qt.io/Third_Party_Code_in_Qt >> and would appreciate if you could have a look and add missing components to >> that page, esp if you are in charge of some of them. I’ve included a column >> that describes what kind of patches we apply when we update the 3rd party >> code (and this is perhaps a good opportunity to see if all of those are >> still necessary). >> In the line of the previous discussion [1], we can then start investigating >> our options for those 3rd party components; for instance, can we build them >> some of them as shared libraries so that they can be easily updated? On >> which platforms are some of them available as system libraries or SDKs, and >> do we test that those work in CI? >> Thanks, >> Volker >> PS: Given the nature of Qt WebEngine, we can probably skip that particular >> repository in this exercise. >> [1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html >> [2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html >> [3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html >> _______________________________________________ >> Development mailing list >> Development@qt-project.org >> https://lists.qt-project.org/listinfo/development > > Hi, > > thank you for this initiative Volker. > > Would it make sense to add a column to that table containing the contact info > of the respective 3rd party component's maintainer(s) and/or bug tracker? > It's awkward to have found an issue and not know whom to tell about it.
Sure, add what you think is useful. > By the way: If anybody knows how to reach a maintainer of libtiff, please let > me know. http://www.libtiff.org specifies t...@remotesensing.org as the mailing list address, and names a few individuals. Based on https://www.asmail.be/msg0054916394.html it would seem that you found that already though. Volker _______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
