From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: Re: Security updates for bundled copies of libraries in Qt Date: Tue, 11 Aug 2015 20:10:38 +0200 Message-ID: <20150811181038.GA31201@debian> References: <20150726095545.GA29093@debian> <20150726110200.GA7976@debian> <87egjvexuy.fsf@gmail.com> <20150727083128.GA5271@debian> <87h9op7m2u.fsf@gmail.com> <20150802093741.GA4366@debian> <87h9ohmr31.fsf_-_@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35693) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZPE1C-0001cH-1l for guix-devel@gnu.org; Tue, 11 Aug 2015 14:11:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZPE17-0005U9-UX for guix-devel@gnu.org; Tue, 11 Aug 2015 14:11:21 -0400 Received: from mout.kundenserver.de ([212.227.17.24]:56145) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZPE17-0005TQ-KW for guix-devel@gnu.org; Tue, 11 Aug 2015 14:11:17 -0400 Content-Disposition: inline In-Reply-To: <87h9ohmr31.fsf_-_@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Hello, On Sun, Aug 02, 2015 at 03:24:18PM -0400, Mark H Weaver wrote: > Andreas Enge writes: > > In any case, feel free to implement a more modular qt, for me > > this is not a priority. > > Fair enough, but consider this: IMO, the most severe problem with using > bundled copies of libraries has to do with security updates. We have > yet to develop a security policy, but in my opinion we should not allow > software with known security flaws to remain in Guix for more than a > short time. Either someone must take responsibility for applying > security fixes to a given package, or else that package should be > removed. Does that make sense? bundled copies are definitely very annoying, and I agree we should try to avoid them. But the question on whether Qt should be built in a modular fashion (supposedly, that would mean that there would be different output packages with different libraries?) is orthogonal to the problem of bundled libraries, if I understand things correctly. Already now, we can drop modules from our build, as we did for qtwebengine bundlind chromium. Are there others we should drop? > In the meantime, I honestly have no idea what security holes exist in > our Qt packages, so I've purged all software that depends on Qt from my > system. I think it would be nice if we could drop qt-4; I recently switched vlc over to qt-5. Could you maybe try if our current qt-5 package could be enabled on mips? My one-core machine is so incredibly slow that I do not have the courage to try compiling there... > I've been doing my best to apply security fixes to Guix in a timely > fashion -- which turns out to be a big job and I could use more help How do you do it? Are you subscribed to the CVEs, or do you look them up manually? Could the search for them be automated for our packages? Andreas