unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
From: Jack Hill <jackhill@jackhill.us>
To: help-guix@gnu.org
Subject: qtwebengine support/security status
Date: Mon, 20 Jan 2020 21:35:45 -0500 (EST)	[thread overview]
Message-ID: <alpine.DEB.2.20.2001202113060.11560@marsh.hcoop.net> (raw)

Hi Guix,

Thanks to Mike and everyone for working on qtwebengine and qutebrowser. 
I'm happy and thankful that Guix's features and the community's commitment 
allow packaging these in a principled way.

Before I use these packages to browse untrusted websites, I wanted to 
double check that it is safe to do so. According to [0] we are using Qt 
5.12.6 which is the latest LTS. I agree with the assessment there that 
that's pretty good. However the messaging from Qt, "We do update to the 
latest Chromium version in use before a Qt release. After a release some 
bug fixes and security patches are backported. For LTS releases of Qt we 
might also update Chromium in a patch level release," [1] makes me less 
sure that qtwebengine will continue to be secure over the lifetime of a Qt 
release. qtwebengine at 69.0.3497.128 already seems to be behind our 
ungoogled-chromium package at 78.0.3904.108.

[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine

I'm also curious how Qt releases will be handled in Guix. Can they go 
directly to master, or will they need to go through a staging or 
core-updates cycles.

So summarize, do we think it's prudent to expose our qtwebengine to random 
web pages? Thanks for your thoughts and all the hard work!

Best,
Jack

             reply	other threads:[~2020-01-21  2:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-21  2:35 Jack Hill [this message]
2020-01-21 18:29 ` qtwebengine support/security status Jack Hill

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.20.2001202113060.11560@marsh.hcoop.net \
    --to=jackhill@jackhill.us \
    --cc=help-guix@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).