From: Andreas Enge <andreas@enge.fr>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: Security updates for bundled copies of libraries in Qt
Date: Tue, 11 Aug 2015 20:10:38 +0200 [thread overview]
Message-ID: <20150811181038.GA31201@debian> (raw)
In-Reply-To: <87h9ohmr31.fsf_-_@netris.org>
Hello,
On Sun, Aug 02, 2015 at 03:24:18PM -0400, Mark H Weaver wrote:
> Andreas Enge <andreas@enge.fr> writes:
> > In any case, feel free to implement a more modular qt, for me
> > this is not a priority.
>
> Fair enough, but consider this: IMO, the most severe problem with using
> bundled copies of libraries has to do with security updates. We have
> yet to develop a security policy, but in my opinion we should not allow
> software with known security flaws to remain in Guix for more than a
> short time. Either someone must take responsibility for applying
> security fixes to a given package, or else that package should be
> removed. Does that make sense?
bundled copies are definitely very annoying, and I agree we should try
to avoid them. But the question on whether Qt should be built in a modular
fashion (supposedly, that would mean that there would be different output
packages with different libraries?) is orthogonal to the problem of bundled
libraries, if I understand things correctly.
Already now, we can drop modules from our build, as we did for
qtwebengine bundlind chromium. Are there others we should drop?
> In the meantime, I honestly have no idea what security holes exist in
> our Qt packages, so I've purged all software that depends on Qt from my
> system.
I think it would be nice if we could drop qt-4; I recently switched vlc over
to qt-5.
Could you maybe try if our current qt-5 package could be enabled on mips?
My one-core machine is so incredibly slow that I do not have the courage
to try compiling there...
> I've been doing my best to apply security fixes to Guix in a timely
> fashion -- which turns out to be a big job and I could use more help
How do you do it? Are you subscribed to the CVEs, or do you look them
up manually? Could the search for them be automated for our packages?
Andreas
next prev parent reply other threads:[~2015-08-11 18:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-26 9:55 Qtwebengine Andreas Enge
2015-07-26 11:02 ` Qtwebengine Andreas Enge
2015-07-26 15:34 ` Qtwebengine 宋文武
2015-07-26 21:07 ` Qtwebengine Mark H Weaver
2015-07-27 8:35 ` Qtwebengine Andreas Enge
2015-07-27 8:31 ` Qtwebengine Andreas Enge
2015-07-27 13:43 ` Qtwebengine 宋文武
2015-08-02 9:37 ` Qtwebengine Andreas Enge
2015-08-02 19:24 ` Security updates for bundled copies of libraries in Qt Mark H Weaver
2015-08-11 18:10 ` Andreas Enge [this message]
2015-08-18 14:59 ` Ludovic Courtès
2015-08-18 15:12 ` Andreas Enge
2015-08-19 22:23 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150811181038.GA31201@debian \
--to=andreas@enge.fr \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).