tl;dr: Open Project Closed Security The officially endorsed method for reporting security issues for Qt is to send them to secur...@qt-project.org , which is a private mailing list. I have a problem with that.
"Experience has shown that 'security through obscurity' does not work. Public disclosure allows for more rapid and better solutions to security problems" ( http://www.debian.org/security/ ). "Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security" ( http://openbsd.org/security.html ). If the Qt Project does not intend on taking security issues seriously, then we should remove security related classes from the project (QSslSocket namely). Leaving them in is misleading. d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
