summaryrefslogtreecommitdiffstats
path: root/quip-0004.rst
diff options
context:
space:
mode:
Diffstat (limited to 'quip-0004.rst')
-rw-r--r--quip-0004.rst25
1 files changed, 21 insertions, 4 deletions
diff --git a/quip-0004.rst b/quip-0004.rst
index fa59b2e..9fd663e 100644
--- a/quip-0004.rst
+++ b/quip-0004.rst
@@ -6,7 +6,8 @@ Status: Active
Type: Process
Requires: QUIP 7
Created: 2016-12-08
-Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html
+Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html,
+ http://lists.qt-project.org/pipermail/development/2018-June/032862.html
Overview
========
@@ -57,9 +58,24 @@ a git submodule.
Updating Third-Party Components
===============================
-Before each release the module maintainer shall check whether any Third-Party
-Component needs to be updated. This is typically the case if a newer version
-was released upstream, or security vulnerabilities have been found.
+The Module Maintainer is ultimately responsible for tracking upstream
+development of Third Party Modules in their module. The maintainer should watch
+out for new security vulnerabilities that are reported, or new releases becoming
+available. The maintainer can delegate this responsibility though.
+
+A newly known security vulnerability in versions of a Third Party Module that is
+part of any still supported Qt library, plugin or tool needs to be reported to
+the Qt Project security mailing list [2]. The core security team can then decide
+whether any immediate action is necessary.
+
+Before each release of Qt, the Module Maintainer shall check whether any
+Third-Party Component needs to be updated. We aim to always ship with the latest
+release of an upstream feature series, for all supported branches of Qt.
+
+If an upstream project or feature series we use in an active branch becomes
+unsupported, it is the responsibility of the Module Maintainer to watch out for
+security issues or patches for it. This might mean for instance coordinating
+with Linux distributions.
Updates for components that become part of a Qt library, plugin, or tool need
to be mentioned in the change log of the release in a "[Third-Party Code]" area.
@@ -105,3 +121,4 @@ References
==========
.. [1] https://www.qt.io/terms-conditions/
+.. [2] https://wiki.qt.io/Qt_Project_Security_Policy
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 06:35:00 +0000