> On 2 Apr 2025, at 13:51, Volker Hilsheimer via Development > <[email protected]> wrote: > > Hi all, > > > we have had a few rounds in which we reviewed code in various Qt modules and > added security tags as per https://contribute.qt-project.org/quips/23 > > As expected, we learned a few things in the process, and are preparing a few > improvements and clarifications. One of the proposals is that we should > always tag header and sources files the same way: > > https://codereview.qt-project.org/c/meta/quips/+/630766 > > Rationale as per the change, but see discussion as well, and contribute with > your perspective. > > I expect that we’ll see a few more clarifications, both normative and > editorial, coming to that QUIP as we work our way through the code base. We > might not start a new mailing list thread for each of those changes, so if > you care about this process, it might be a good idea to configure your gerrit > notifications to make you aware of incoming patches. > > > Cheers, > Volker
While the particular change above never got approved, we have now further developed our process and exercised our thread analysis and risk assessment muscles, and based on that I’m proposing the following update: https://codereview.qt-project.org/c/meta/quips/+/713587 TL;DR: * all sources that are part of the framework need a security classification * adopt established terminology from thread modeling * clearer guidance on which files are likely to qualify as critical * multiple reason tags might be given for any file, in a comma-separated list Volker -- Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
