diff options
Diffstat (limited to 'quip-0004.rst')
-rw-r--r-- | quip-0004.rst | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/quip-0004.rst b/quip-0004.rst index fa59b2e..9fd663e 100644 --- a/quip-0004.rst +++ b/quip-0004.rst @@ -6,7 +6,8 @@ Status: Active Type: Process Requires: QUIP 7 Created: 2016-12-08 -Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html +Post-History: http://lists.qt-project.org/pipermail/development/2016-December/028114.html, + http://lists.qt-project.org/pipermail/development/2018-June/032862.html Overview ======== @@ -57,9 +58,24 @@ a git submodule. Updating Third-Party Components =============================== -Before each release the module maintainer shall check whether any Third-Party -Component needs to be updated. This is typically the case if a newer version -was released upstream, or security vulnerabilities have been found. +The Module Maintainer is ultimately responsible for tracking upstream +development of Third Party Modules in their module. The maintainer should watch +out for new security vulnerabilities that are reported, or new releases becoming +available. The maintainer can delegate this responsibility though. + +A newly known security vulnerability in versions of a Third Party Module that is +part of any still supported Qt library, plugin or tool needs to be reported to +the Qt Project security mailing list [2]. The core security team can then decide +whether any immediate action is necessary. + +Before each release of Qt, the Module Maintainer shall check whether any +Third-Party Component needs to be updated. We aim to always ship with the latest +release of an upstream feature series, for all supported branches of Qt. + +If an upstream project or feature series we use in an active branch becomes +unsupported, it is the responsibility of the Module Maintainer to watch out for +security issues or patches for it. This might mean for instance coordinating +with Linux distributions. Updates for components that become part of a Qt library, plugin, or tool need to be mentioned in the change log of the release in a "[Third-Party Code]" area. @@ -105,3 +121,4 @@ References ========== .. [1] https://www.qt.io/terms-conditions/ +.. [2] https://wiki.qt.io/Qt_Project_Security_Policy |