From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Security updates for bundled copies of libraries in Qt
Date: Sun, 02 Aug 2015 15:24:18 -0400
Message-ID: <87h9ohmr31.fsf_-_@netris.org>
References: <20150726095545.GA29093@debian> <20150726110200.GA7976@debian>
	<87egjvexuy.fsf@gmail.com> <20150727083128.GA5271@debian>
	<87h9op7m2u.fsf@gmail.com> <20150802093741.GA4366@debian>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51855)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZLysB-00070D-OA
	for guix-devel@gnu.org; Sun, 02 Aug 2015 15:24:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZLys8-0000uu-Fz
	for guix-devel@gnu.org; Sun, 02 Aug 2015 15:24:39 -0400
Received: from world.peace.net ([50.252.239.5]:58733)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZLys8-0000t0-C4
	for guix-devel@gnu.org; Sun, 02 Aug 2015 15:24:36 -0400
In-Reply-To: <20150802093741.GA4366@debian> (Andreas Enge's message of "Sun, 2
	Aug 2015 11:37:41 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org

Andreas Enge <andreas@enge.fr> writes:
> In any case, feel free to implement a more modular qt, for me
> this is not a priority.

Fair enough, but consider this: IMO, the most severe problem with using
bundled copies of libraries has to do with security updates.  We have
yet to develop a security policy, but in my opinion we should not allow
software with known security flaws to remain in Guix for more than a
short time.  Either someone must take responsibility for applying
security fixes to a given package, or else that package should be
removed.  Does that make sense?

I've been doing my best to apply security fixes to Guix in a timely
fashion -- which turns out to be a big job and I could use more help --
but I'm *not* willing to do the duplicated work of applying the same
fixes to the bundled copies of libraries in Qt.  If our Qt packages are
going to use bundled copies of libraries, then someone needs to take
responsibility for applying security updates to those copies.

Any takers?

In the meantime, I honestly have no idea what security holes exist in
our Qt packages, so I've purged all software that depends on Qt from my
system.

      Mark