Fwd: Re: SSL, KDE and Qt
Allen Winter
winter at kde.org
Mon Dec 31 00:59:11 CET 2007
On Sunday 30 December 2007 18:50:40 Thiago Macieira wrote:
> Allen Winter wrote:
> >So, we are ok with Andreas' hackery inside KTcpSocket. The only problem
> >occurs if someone tries to use QSslSocket directly. But I don't think
> > we need to worry about that much.. or do we?
>
> No, we don't. Using QSslSocket bypasses all KDE SSL settings. No
> application is supposed to do that, as it also may pose a security risk
> (do all such application authors know how to read the SSL settings and
> disable the insecure keys that we disable in KDE?).
>
> >Or, maybe Qt4.3.4 we be released in the next 1-2 days, including this
> > patch, and we can require that.
>
> Not going to happen. The Qt 4.3.4 release is scheduled for the end of
> January.
>
> Even if I started the release process the day I come back to the office
> (Tuesday 8th), it takes at least one week and a half to get all tests
> done on all platforms (as per our release procedures). So the soonest for
> the release is actually the day I leave for Mountain View.
>
> In any case, I see that Andreas has committed a workaround already. Given
> the severity of this issue and the relative simple patch required to fix
> it, I can backport it and include in Qt 4.3.4 if it's of use.
>
Thanks.
I'll revert the qt-copy+patches requirement change.
More information about the release-team
mailing list