bug#21288: Qt's bundled libraries must not be used

bug#21288: Qt's bundled libraries must not be used

[Ludovic Courtès]

The bundled libraries in Qt are an obvious security issues, among other
concerns.  This bug is to keep track of progress removing those bundled
libraries (esp. in Qt 5.)

For background, see:

  https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html
  https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html

Ludo’.

bug#21288: Qt's bundled libraries must not be used

[Andreas Enge]

Commit 7431ede removes the webkit module from qt-4.

Andreas

bug#21288: Qt's bundled libraries must not be used

[Andreas Enge]

Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
copy from our source code (the one called harfbuzz-ng; strangely, there is
another one, called harfbuzz, without which the package does not compile).

Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
used before).

Some other system libraries are already used automatically; to make things
clearer, we could also remove their source code (from the corresponding
3rdparty/ subdirectories).

Andreas

bug#21288: Qt's bundled libraries must not be used

[Mark H Weaver]

Hi Andreas,

Andreas Enge <andreas@enge.fr> writes:

> Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
> copy from our source code (the one called harfbuzz-ng; strangely, there is
> another one, called harfbuzz, without which the package does not compile).
>
> Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
> used before).

Sounds good, thank you!

> Some other system libraries are already used automatically; to make things
> clearer, we could also remove their source code (from the corresponding
> 3rdparty/ subdirectories).

Yes, I think we should remove as many bundled libraries as possible.
Even if the build system does not use the bundled libFOO today, a future
version might start using it, and so when there's a security flaw found
in libFOO, we will have to double-check to make sure it's really not
being used.  It's much easier to just remove the bundled copies.

What do you think?

      Mark

bug#21288: Qt's bundled libraries must not be used

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]

I think in the intervening 4.5 years we've done a good job of removing
the bundled libraries from qt-4 and qt-5 and then qtbase. I'm going to
consider this bug a success. The note in the snippet says there are a
few more bundled libraries, like md5 and sha3 (and harfbuzz) but we've
otherwise done a great job on this one.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]