Re: [Development] Qt6 repo

2023-04-17 Thread Robert Löhning via Development 

Am 23.03.2021 um 20:01 schrieb Thiago Macieira:

On Tuesday, 23 March 2021 11:32:30 PDT Nibedit Dey wrote:

Any progress on QTQAINFRA-4200 ?


You can open the link and read for yourself:

https://bugreports.qt.io/browse/QTQAINFRA-4200

There's absolutely no hurry to do this. And it needs to be synchronised with
the CI and everyone that uses the Git repositories.



Did anything happen yet?
--
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Re: [Development] Security-relevant 3rd party components bundled with Qt

2022-10-07 Thread Robert Löhning via Development 

Am 20.09.22 um 14:47 schrieb Volker Hilsheimer:

Hi,


Some of the 3rd party components we bundle in Qt are directly involved in code 
paths that are designed to process untrusted data. Following up on the 
situation with freetype [1] and the discussion we had during summer [2], it 
would help know which of the 3rd party components we bundle today have a 
security relevant surface. All components process data, but many only process 
data that the application developer has full control over (for example, we 
explicitly state that you should not load any untrusted QML code or content 
[3]). Those that are designed to process data from anywhere are the ones that 
are most interesting here.

Those components should then be watched closer, and always get updated to the 
latest version, perhaps even for patch releases. To that end, I’ve started to 
collect a list of such components on

https://wiki.qt.io/Third_Party_Code_in_Qt

and would appreciate if you could have a look and add missing components to 
that page, esp if you are in charge of some of them. I’ve included a column 
that describes what kind of patches we apply when we update the 3rd party code 
(and this is perhaps a good opportunity to see if all of those are still 
necessary).

In the line of the previous discussion [1], we can then start investigating our 
options for those 3rd party components; for instance, can we build them some of 
them as shared libraries so that they can be easily updated? On which platforms 
are some of them available as system libraries or SDKs, and do we test that 
those work in CI?


Thanks,
Volker

PS: Given the nature of Qt WebEngine, we can probably skip that particular 
repository in this exercise.

[1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html
[2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html
[3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html

___
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development


Hi,

thank you for this initiative Volker.

Would it make sense to add a column to that table containing the contact 
info of the respective 3rd party component's maintainer(s) and/or bug 
tracker? It's awkward to have found an issue and not know whom to tell 
about it.


By the way: If anybody knows how to reach a maintainer of libtiff, 
please let me know.


Cheers,
Robert
___
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development