Am 20.09.22 um 14:47 schrieb Volker Hilsheimer:
Hi,
Some of the 3rd party components we bundle in Qt are directly involved in code
paths that are designed to process untrusted data. Following up on the
situation with freetype [1] and the discussion we had during summer [2], it
would help know which of the 3rd party components we bundle today have a
security relevant surface. All components process data, but many only process
data that the application developer has full control over (for example, we
explicitly state that you should not load any untrusted QML code or content
[3]). Those that are designed to process data from anywhere are the ones that
are most interesting here.
Those components should then be watched closer, and always get updated to the
latest version, perhaps even for patch releases. To that end, I’ve started to
collect a list of such components on
https://wiki.qt.io/Third_Party_Code_in_Qt
and would appreciate if you could have a look and add missing components to
that page, esp if you are in charge of some of them. I’ve included a column
that describes what kind of patches we apply when we update the 3rd party code
(and this is perhaps a good opportunity to see if all of those are still
necessary).
In the line of the previous discussion [1], we can then start investigating our
options for those 3rd party components; for instance, can we build them some of
them as shared libraries so that they can be easily updated? On which platforms
are some of them available as system libraries or SDKs, and do we test that
those work in CI?
Thanks,
Volker
PS: Given the nature of Qt WebEngine, we can probably skip that particular
repository in this exercise.
[1] https://lists.qt-project.org/pipermail/development/2022-July/042795.html
[2] https://lists.qt-project.org/pipermail/development/2022-July/042729.html
[3] https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html
___
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development
Hi,
thank you for this initiative Volker.
Would it make sense to add a column to that table containing the contact
info of the respective 3rd party component's maintainer(s) and/or bug
tracker? It's awkward to have found an issue and not know whom to tell
about it.
By the way: If anybody knows how to reach a maintainer of libtiff,
please let me know.
Cheers,
Robert
___
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development