|author||Kai Koehne <firstname.lastname@example.org>||2018-07-05 10:00:34 +0200|
|committer||Lars Knoll <email@example.com>||2018-08-22 10:30:01 +0000|
QUIP-4: Clarify rules for updating 3rd party components
This summarizes the conclusions from the mailing list and the session at the Qt Contributor Summit 2018. The guideline is to always keep Third-Party Components up to date, in all Qt branches. Change-Id: I92c1b1115203d13851af2dd8a99ab0d6181f10d1 Reviewed-by: Edward Welbourne <firstname.lastname@example.org> Reviewed-by: Andy Shaw <email@example.com> Reviewed-by: Jani Heikkinen <firstname.lastname@example.org> Reviewed-by: Lars Knoll <email@example.com>
1 files changed, 21 insertions, 4 deletions
diff --git a/quip-0004.rst b/quip-0004.rst
index fa59b2e..9fd663e 100644
@@ -6,7 +6,8 @@ Status: Active
Requires: QUIP 7
@@ -57,9 +58,24 @@ a git submodule.
Updating Third-Party Components
-Before each release the module maintainer shall check whether any Third-Party
-Component needs to be updated. This is typically the case if a newer version
-was released upstream, or security vulnerabilities have been found.
+The Module Maintainer is ultimately responsible for tracking upstream
+development of Third Party Modules in their module. The maintainer should watch
+out for new security vulnerabilities that are reported, or new releases becoming
+available. The maintainer can delegate this responsibility though.
+A newly known security vulnerability in versions of a Third Party Module that is
+part of any still supported Qt library, plugin or tool needs to be reported to
+the Qt Project security mailing list . The core security team can then decide
+whether any immediate action is necessary.
+Before each release of Qt, the Module Maintainer shall check whether any
+Third-Party Component needs to be updated. We aim to always ship with the latest
+release of an upstream feature series, for all supported branches of Qt.
+If an upstream project or feature series we use in an active branch becomes
+unsupported, it is the responsibility of the Module Maintainer to watch out for
+security issues or patches for it. This might mean for instance coordinating
+with Linux distributions.
Updates for components that become part of a Qt library, plugin, or tool need
to be mentioned in the change log of the release in a "[Third-Party Code]" area.
@@ -105,3 +121,4 @@ References
..  https://www.qt.io/terms-conditions/
+..  https://wiki.qt.io/Qt_Project_Security_Policy