Fwd: Re: SSL, KDE and Qt
Thiago Macieira
thiago at kde.org
Mon Dec 31 00:50:40 CET 2007
Allen Winter wrote:
>So, we are ok with Andreas' hackery inside KTcpSocket. The only problem
>occurs if someone tries to use QSslSocket directly. But I don't think
> we need to worry about that much.. or do we?
No, we don't. Using QSslSocket bypasses all KDE SSL settings. No
application is supposed to do that, as it also may pose a security risk
(do all such application authors know how to read the SSL settings and
disable the insecure keys that we disable in KDE?).
>Or, maybe Qt4.3.4 we be released in the next 1-2 days, including this
> patch, and we can require that.
Not going to happen. The Qt 4.3.4 release is scheduled for the end of
January.
Even if I started the release process the day I come back to the office
(Tuesday 8th), it takes at least one week and a half to get all tests
done on all platforms (as per our release procedures). So the soonest for
the release is actually the day I leave for Mountain View.
In any case, I see that Andreas has committed a workaround already. Given
the severity of this issue and the relative simple patch required to fix
it, I can backport it and include in Qt 4.3.4 if it's of use.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/release-team/attachments/20071230/750071c8/attachment.pgp
More information about the release-team
mailing list