Fwd: Re: SSL, KDE and Qt

Thiago Macieira thiago at kde.org
Mon Dec 31 00:50:40 CET 2007

Allen Winter wrote:
>So, we are ok with Andreas' hackery inside KTcpSocket.  The only problem
>occurs if someone tries to use QSslSocket directly.  But I don't think
> we need to worry about that much.. or do we?

No, we don't. Using QSslSocket bypasses all KDE SSL settings. No 
application is supposed to do that, as it also may pose a security risk 
(do all such application authors know how to read the SSL settings and 
disable the insecure keys that we disable in KDE?).

>Or, maybe Qt4.3.4 we be released in the next 1-2 days, including this
> patch, and we can require that.

Not going to happen. The Qt 4.3.4 release is scheduled for the end of 

Even if I started the release process the day I come back to the office 
(Tuesday 8th), it takes at least one week and a half to get all tests 
done on all platforms (as per our release procedures). So the soonest for 
the release is actually the day I leave for Mountain View.

In any case, I see that Andreas has committed a workaround already. Given 
the severity of this issue and the relative simple patch required to fix 
it, I can backport it and include in Qt 4.3.4 if it's of use.

  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/release-team/attachments/20071230/750071c8/attachment.pgp 

More information about the release-team mailing list