Re: [Development] proposal: security mailing list
On 11/15/2011 09:30 PM, ext lars.kn...@nokia.com wrote: (...) The reason why many other projects have private lists for security issues is to avoid making zero day exploits widely known. It would most likely be good to also be able to discuss some of these issues in a more closed mailing list, not to be less transparent, but to not tell hackers about the issues before we have a fix. We have that list already internally within Nokia; whenever somebody sends a report via the security issue report form at http://qt.nokia.com/forms/security it will end up on the private security list. We are planning to transfer that list to something @qt-project.org. The plan is to make that list invite-only and the archives private. A public announcement list might be needed as well, but for that we could simply use annou...@qt-project.org. OK, fine by me, then let's use the announce list for security announcements as well. If nobody objects I will write a blog post on http://labs.qt.nokia.com/ the next time there is a security issue, and will say that in the future those things are handled through annou...@qt-project.org. Peter Cheers, Lars ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development -- Qt Developer Days 2011 – REGISTER NOW! October 24 – 26, Munich November 29 – December 1, San Francisco Learn more and Register at http://qt.nokia.com/qtdevdays2011 ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] proposal: security mailing list
On 11/16/11 11:32 AM, Peter Hartmann peter.hartm...@nokia.com wrote: On 11/15/2011 09:30 PM, ext lars.kn...@nokia.com wrote: (...) The reason why many other projects have private lists for security issues is to avoid making zero day exploits widely known. It would most likely be good to also be able to discuss some of these issues in a more closed mailing list, not to be less transparent, but to not tell hackers about the issues before we have a fix. We have that list already internally within Nokia; whenever somebody sends a report via the security issue report form at http://qt.nokia.com/forms/security it will end up on the private security list. We are planning to transfer that list to something @qt-project.org. The plan is to make that list invite-only and the archives private. A public announcement list might be needed as well, but for that we could simply use annou...@qt-project.org. OK, fine by me, then let's use the announce list for security announcements as well. If nobody objects I will write a blog post on http://labs.qt.nokia.com/ the next time there is a security issue, and will say that in the future those things are handled through annou...@qt-project.org. Sounds like a plan :) Cheers, Lars ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] proposal: security mailing list
We are planning to transfer that list to something @qt-project.org.The plan is to make that list invite-only and the archives private. I am not sure what you mean by invite-only. Could you please ellaborate on the precise meaning ? In general, I think it would be nice to provide the opportunity for people to join, if they can prove the relevant background for instance (maybe with 1-2 supporters). Best Regards, Laszlo Papp ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] proposal: security mailing list
On 11/16/2011 03:30 PM, ext Alexis Menard wrote: On Wed, Nov 16, 2011 at 11:21 AM, Laszlo Papplp...@kde.org wrote: We are planning to transfer that list to something @qt-project.org.The plan is to make that list invite-only and the archives private. I am not sure what you mean by invite-only. Could you please ellaborate on the precise meaning ? A member propose to invite a person, and modulo approval of the others he/she can join. exactly, just like becoming an approver for Qt. In addition we can CC individuals on a case-by-case basis (and have done so previously). Peter In general, I think it would be nice to provide the opportunity for people to join, if they can prove the relevant background for instance (maybe with 1-2 supporters). That's what he meant. Best Regards, Laszlo Papp ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development -- Qt Developer Days 2011 – REGISTER NOW! October 24 – 26, Munich November 29 – December 1, San Francisco Learn more and Register at http://qt.nokia.com/qtdevdays2011 ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
[Development] proposal: security mailing list
Hello, I would like to propose the introduction of a low-traffic security mailing list for posting security patches for Qt. Right now we always need to write a blog post entry with an attached diff (see for instance [1]), but since e.g. SSL certificates get compromised a lot these days, this does not scale that well. So maybe an own mailing list with important security-related updates would be helpful for Linux package maintainers and others. There was the suggestion that this list should be private; personally I rather favor a public list, because usually when creating patches for Qt similar patches have landed in other public repositories already (e.g. Chromium or Mozilla). The reason for that is that most of the security patches were made regarding blacklisting fraudulent certificates rather than fixing memory corruption bugs which should be kept secret. Btw. note that there is also a security issue report form at http://qt.nokia.com/forms/security . Any comments? Regards, Peter --- [1] http://labs.qt.nokia.com/2011/09/07/what-the-diginotar-security-breach-means-for-qt-users-continued/ -- Qt Developer Days 2011 – REGISTER NOW! October 24 – 26, Munich November 29 – December 1, San Francisco Learn more and Register at http://qt.nokia.com/qtdevdays2011 ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] proposal: security mailing list
On Tue, Nov 15, 2011 at 11:30 AM, Peter Hartmann peter.hartm...@nokia.com wrote: I would like to propose the introduction of a low-traffic security mailing list for posting security patches for Qt. Right now we always need to write a blog post entry with an attached diff (see for instance [1]), but since e.g. SSL certificates get compromised a lot these days, this does not scale that well. So maybe an own mailing list with important security-related updates would be helpful for Linux package maintainers and others. I think this makes complete sense. There was the suggestion that this list should be private; personally I rather favor a public list, because usually when creating patches for Qt similar patches have landed in other public repositories already (e.g. Chromium or Mozilla). The reason for that is that most of the security patches were made regarding blacklisting fraudulent certificates rather than fixing memory corruption bugs which should be kept secret. I think a public list should be fine for the announcements. It doesn't stop there being a private list too if needed for privately discussing issues before they are addressed. Rich. ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] proposal: security mailing list
On 11/15/11 2:33 PM, ext Richard Moore r...@kde.org wrote: On Tue, Nov 15, 2011 at 11:30 AM, Peter Hartmann peter.hartm...@nokia.com wrote: I would like to propose the introduction of a low-traffic security mailing list for posting security patches for Qt. Right now we always need to write a blog post entry with an attached diff (see for instance [1]), but since e.g. SSL certificates get compromised a lot these days, this does not scale that well. So maybe an own mailing list with important security-related updates would be helpful for Linux package maintainers and others. I think this makes complete sense. There was the suggestion that this list should be private; personally I rather favor a public list, because usually when creating patches for Qt similar patches have landed in other public repositories already (e.g. Chromium or Mozilla). The reason for that is that most of the security patches were made regarding blacklisting fraudulent certificates rather than fixing memory corruption bugs which should be kept secret. I think a public list should be fine for the announcements. It doesn't stop there being a private list too if needed for privately discussing issues before they are addressed. The reason why many other projects have private lists for security issues is to avoid making zero day exploits widely known. It would most likely be good to also be able to discuss some of these issues in a more closed mailing list, not to be less transparent, but to not tell hackers about the issues before we have a fix. A public announcement list might be needed as well, but for that we could simply use annou...@qt-project.org. Cheers, Lars ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development