From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?utf-8?B?5a6L5paH5q2m?= Subject: Re: Help needed with security updates for Qt Date: Fri, 19 Jun 2015 20:58:30 +0800 Message-ID: <87k2uzlurt.fsf@gmail.com> References: <87mvzzg2f3.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48826) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z5vrk-000498-Id for guix-devel@gnu.org; Fri, 19 Jun 2015 08:57:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z5vrg-00054I-Vz for guix-devel@gnu.org; Fri, 19 Jun 2015 08:57:52 -0400 Received: from mail-pa0-x22b.google.com ([2607:f8b0:400e:c03::22b]:33019) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z5vrg-000545-OW for guix-devel@gnu.org; Fri, 19 Jun 2015 08:57:48 -0400 Received: by padev16 with SMTP id ev16so85047876pad.0 for ; Fri, 19 Jun 2015 05:57:47 -0700 (PDT) In-Reply-To: <87mvzzg2f3.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver , Andreas Enge Cc: guix-devel@gnu.org Mark H Weaver writes: > Hi, > > Qt includes bundled copies of a *lot* of stuff. Among other things, it > bundles Chromium, which also bundles a lot of stuff. Someone who cares > about Qt needs to be on top of security updates for the things it > bundles. > > Better yet, we should try to get it to use our system copies of > libraries whenever possible. Yes, as I know, the remains bundled libraries are: pcre, need build with '--enable-pcre16' jasper, not packaged yet, and need various security patches leveldb, not packaged yet harfbuzz, libtiff and libwebp And for Qt5, the QtWebEngine bundled Chromium. > > I'm aware of security updates for Chromium since the versions of Qt in > Guix were released. There are probably many others as well. > > If we make a separate Chromium package, then beware that there will > probably be FSDG issues that need to be addressed, e.g. offering to > install non-free software like flash, video codecs or plugins. It may > be that we need to address these issues even if we don't make a separate > Chromium package, depending on how Qt uses it. > > There's also stuff like this: > > "chromium: unconditionally downloads binary blob" > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909 > > It's a big hairy mess, and to be honest I don't want to touch Qt with a > ten foot pole. Someone who cares about Qt needs to get on top of this. I'd like to try re-package qt5 with submodules, and drop QtWebEngine. As same as Debian and NixOS did.