diff options
author | Kai Koehne <kai.koehne@qt.io> | 2018-07-05 10:00:34 +0200 |
---|---|---|
committer | Lars Knoll <lars.knoll@qt.io> | 2018-08-22 10:30:01 +0000 |
commit | 57b05f95bb554fb69741aa4103b7e284a077d6e5 (patch) | |
tree | 6b4a9e1b34eb986da7e5911a42375421bf0966e7 /quip-0004.rst | |
parent | 3a226771b8fdbed20fcbad4806e1523a3bd70c52 (diff) |
QUIP-4: Clarify rules for updating 3rd party components
This summarizes the conclusions from the mailing list and the
session at the Qt Contributor Summit 2018. The guideline is
to always keep Third-Party Components up to date, in all Qt
branches.
Change-Id: I92c1b1115203d13851af2dd8a99ab0d6181f10d1
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Andy Shaw <andy.shaw@qt.io>
Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Diffstat (limited to 'quip-0004.rst')
-rw-r--r-- | quip-0004.rst | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/quip-0004.rst b/quip-0004.rst index fa59b2e..9fd663e 100644 --- a/quip-0004.rst +++ b/quip-0004.rst @@ -6,7 +6,8 @@ Status: Active Type: Process Requires: QUIP 7 Created: 2016-12-08 -Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html +Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html, + http://lists.qt-project.org/pipermail/development/2018-June/032862.html Overview ======== @@ -57,9 +58,24 @@ a git submodule. Updating Third-Party Components =============================== -Before each release the module maintainer shall check whether any Third-Party -Component needs to be updated. This is typically the case if a newer version -was released upstream, or security vulnerabilities have been found. +The Module Maintainer is ultimately responsible for tracking upstream +development of Third Party Modules in their module. The maintainer should watch +out for new security vulnerabilities that are reported, or new releases becoming +available. The maintainer can delegate this responsibility though. + +A newly known security vulnerability in versions of a Third Party Module that is +part of any still supported Qt library, plugin or tool needs to be reported to +the Qt Project security mailing list [2]. The core security team can then decide +whether any immediate action is necessary. + +Before each release of Qt, the Module Maintainer shall check whether any +Third-Party Component needs to be updated. We aim to always ship with the latest +release of an upstream feature series, for all supported branches of Qt. + +If an upstream project or feature series we use in an active branch becomes +unsupported, it is the responsibility of the Module Maintainer to watch out for +security issues or patches for it. This might mean for instance coordinating +with Linux distributions. Updates for components that become part of a Qt library, plugin, or tool need to be mentioned in the change log of the release in a "[Third-Party Code]" area. @@ -105,3 +121,4 @@ References ========== .. [1] https://www.qt.io/terms-conditions/ +.. [2] https://wiki.qt.io/Qt_Project_Security_Policy |