Fwd: Re: SSL, KDE and Qt

Allen Winter winter at kde.org
Mon Dec 31 00:59:11 CET 2007

On Sunday 30 December 2007 18:50:40 Thiago Macieira wrote:
> Allen Winter wrote:
> >So, we are ok with Andreas' hackery inside KTcpSocket.  The only problem
> >occurs if someone tries to use QSslSocket directly.  But I don't think
> > we need to worry about that much.. or do we?
> No, we don't. Using QSslSocket bypasses all KDE SSL settings. No 
> application is supposed to do that, as it also may pose a security risk 
> (do all such application authors know how to read the SSL settings and 
> disable the insecure keys that we disable in KDE?).
> >Or, maybe Qt4.3.4 we be released in the next 1-2 days, including this
> > patch, and we can require that.
> Not going to happen. The Qt 4.3.4 release is scheduled for the end of 
> January.
> Even if I started the release process the day I come back to the office 
> (Tuesday 8th), it takes at least one week and a half to get all tests 
> done on all platforms (as per our release procedures). So the soonest for 
> the release is actually the day I leave for Mountain View.
> In any case, I see that Andreas has committed a workaround already. Given 
> the severity of this issue and the relative simple patch required to fix 
> it, I can backport it and include in Qt 4.3.4 if it's of use.
I'll revert the qt-copy+patches requirement change.

More information about the release-team mailing list