From: 宋文武 <iyzsong@gmail.com>
To: Mark H Weaver <mhw@netris.org>, Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: Help needed with security updates for Qt
Date: Fri, 19 Jun 2015 20:58:30 +0800 [thread overview]
Message-ID: <87k2uzlurt.fsf@gmail.com> (raw)
In-Reply-To: <87mvzzg2f3.fsf@netris.org>
Mark H Weaver <mhw@netris.org> writes:
> Hi,
>
> Qt includes bundled copies of a *lot* of stuff. Among other things, it
> bundles Chromium, which also bundles a lot of stuff. Someone who cares
> about Qt needs to be on top of security updates for the things it
> bundles.
>
> Better yet, we should try to get it to use our system copies of
> libraries whenever possible.
Yes, as I know, the remains bundled libraries are:
pcre, need build with '--enable-pcre16'
jasper, not packaged yet, and need various security patches
leveldb, not packaged yet
harfbuzz, libtiff and libwebp
And for Qt5, the QtWebEngine bundled Chromium.
>
> I'm aware of security updates for Chromium since the versions of Qt in
> Guix were released. There are probably many others as well.
>
> If we make a separate Chromium package, then beware that there will
> probably be FSDG issues that need to be addressed, e.g. offering to
> install non-free software like flash, video codecs or plugins. It may
> be that we need to address these issues even if we don't make a separate
> Chromium package, depending on how Qt uses it.
>
> There's also stuff like this:
>
> "chromium: unconditionally downloads binary blob"
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
>
> It's a big hairy mess, and to be honest I don't want to touch Qt with a
> ten foot pole. Someone who cares about Qt needs to get on top of this.
I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
As same as Debian and NixOS did.
next prev parent reply other threads:[~2015-06-19 12:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-16 14:20 Help needed with security updates for Qt Mark H Weaver
2015-06-18 12:30 ` Ludovic Courtès
2015-06-19 12:58 ` 宋文武 [this message]
2015-06-19 13:29 ` Ludovic Courtès
2015-06-20 14:14 ` 宋文武
2015-06-21 21:15 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k2uzlurt.fsf@gmail.com \
--to=iyzsong@gmail.com \
--cc=andreas@enge.fr \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).