On Thursday, 7 June 2018 02:19:26 PDT Giuseppe D'Angelo wrote:
> Hi,
>
> On 07/06/18 05:13, Thiago Macieira wrote:
> > As you may be aware, Intel is taking security VERY seriously and I cannot
> > accept a project I contribute to having any worse policies. Our open
> > source
> > security team also evaluates each project's security policies and they
> > have
> > blacklisted quite a few open source projects from being used in Intel
> > products, so I'd like to make sure Qt continues to comply with the
> > stricter
> > guidelines.
>
> By any chance, are these guidelines public?

No. I can summarise and paraphrase, though. It basically it boils down to
"releases frequently and has a security team", which is fine for most
projects.

My gripe is with the third party content we have inside Qt, which throws a
wrench into the gears. Intel products MUST use the latest release and follow
all the security guidelines for all software it's using, so those bundled
third-party hide releases and security notices that are relevant. This is what
I want to discuss: how can we make sure we don't cause our users to use known-
insecure software because we haven't updated our third-party content.

For that reason, my current advice to ANY software using Qt is to never use
any of the bundled third-party (always use system libraries). Note how this
means "don't ever use the pre-built binaries from download.qt.io"...

PS: I realise I am guilty of the thing I am accusing of too. TinyCBOR, just
merged into 5.12, cannot be used as a system library as it stands. I had
planned on having sufficient time to finish the API for 0.6 before the Qt 5.12
release, but it doesn't look like it.

--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center

The Sqlite module is not a plugin but a library. It is linked to a plugin but this plugin is not build in release and normally disabled.
Like I said, it can be simply not build for release. Please stick to KISS.

On June 8, 2018 16:30:19 Edward Welbourne <***@qt.io> wrote:

> Marco Bubke (7 June 2018 19:37) wrote:
>> AFAIK the refactoring plugin is disabled for release. Just do the same for the Sqlite library.
>
> Probably better to do as Thiago said:
>
> On June 7, 2018 23:54:43 Thiago Macieira <***@intel.com> wrote:
>>> So we just need a conditional to disable the building if the refactoring
>>> plugin isn't enabled either.
>
> or, perhaps more to the point, only enable building of the sqlite plugin
> if (it's explicitly wanted or) something that needs it is enabled,
>
> Eddy.