unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Staying on top of Qt security
@ 2016-02-14 20:01 Leo Famulari
  2016-02-18 20:43 ` Andreas Enge
  2016-02-25  8:35 ` Andreas Enge
  0 siblings, 2 replies; 24+ messages in thread
From: Leo Famulari @ 2016-02-14 20:01 UTC (permalink / raw)
  To: guix-devel

It's been pointed out in the past that Qt [0] bundles many other softare
distributions, making it more difficult to fully apply security updates.
One would have to *know* what software was bundled and be sure to update
the bundled copy along with the standalone copy.

I asked for guidance on #qt [2] and they pointed me to their security
policy:
https://wiki.qt.io/Qt_project_security_policy

The salient points are:

1) Security updates are only guaranteed for the latest version, and the
preceding minor version. Updates may be issued for earlier versions but
there is no commitment from Qt on this subject.

2) Security problems will be publicly disclosed to the
annouce@qt-project.org mailing list.

3) There is an early notification system for those who need it, such as
distribution packagers (like us) on a private security-annouce mailing
list.

We currently package qt-4.8.7 and qt-5.5.1. My interpretation of Qt's
policy is that 4.x is unsupported, while 5.5 is supported, but I might
be wrong; their website is a real maze.

I think we need a Qt champion(s) for Guix.

Here is what I think this person should do:

1) Get on the Qt security-announce list so that we can patch bugs before
they are disclosed.

2) Figure out *what* 3rd party software is bundled by Qt and try to make
Qt use external versions of this software. This will go a long way to
making our Qt packaging secure.

3) Manage the process of removing unsupported versions of Qt. This means
upgraded dependent packages once they support the latest Qt release. [3]

4) Help us decide what do about about Qt dependent packages that only
work with unsupported versions of Qt.

This is my first time thinking about this sort of issue, so it's
quite possible that my recommendations are wrong or incomplete!

Your thoughts? Any takers?

[0]
http://www.qt.io/

[1]
https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html
https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html

[2]
irc://irc.freenode.net/qt

[3]
$ guix refresh -l qt-4                        
Building the following 18 packages would ensure 24 dependent packages
are rebuilt: soprano-2.9.4 python2-pyqt-4.11.4 polkit-qt-1-0.112.0
frescobaldi-2.18.1 keepassx-2.0.2 hydrogen-0.9.5.1 strigi-0.7.8
attica-0.4.2 pumpa-0.9.2 libdbusmenu-qt-0.9.2 phonon-4.8.3
brdf-explorer-17 gpsbabel-1.5.0 librecad-2.0.6-rc
alsa-modular-synth-2.1.2 qtractor-0.7.3 ardour-4.4 jalv-1.4.6

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2016-03-09  8:46 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-14 20:01 Staying on top of Qt security Leo Famulari
2016-02-18 20:43 ` Andreas Enge
2016-02-18 22:35   ` Leo Famulari
2016-02-20 20:46     ` Efraim Flashner
2016-02-18 22:53   ` Christopher Allan Webber
2016-02-18 22:59     ` Andreas Enge
2016-02-20 18:27       ` Christopher Allan Webber
2016-02-21  7:28         ` Leo Famulari
2016-02-21 17:42           ` Christopher Allan Webber
2016-02-21 19:27             ` Leo Famulari
2016-02-22 19:53             ` Andreas Enge
2016-02-22 20:19               ` Leo Famulari
2016-02-22 20:40           ` Andreas Enge
2016-02-22 20:36   ` Andreas Enge
2016-02-25  8:35 ` Andreas Enge
2016-02-25  9:04   ` Andreas Enge
2016-02-25  9:06     ` Andreas Enge
2016-02-25  9:36       ` Ricardo Wurmus
2016-03-05 11:41       ` Andreas Enge
2016-03-05 21:16         ` Ricardo Wurmus
2016-03-05 21:18           ` Andreas Enge
2016-03-09  8:46             ` Ricardo Wurmus
2016-02-25  9:38   ` Ricardo Wurmus
2016-02-25 20:22     ` Andreas Enge

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).