qtwebengine support/security status

qtwebengine support/security status

[Jack Hill]

Hi Guix,

Thanks to Mike and everyone for working on qtwebengine and qutebrowser. 
I'm happy and thankful that Guix's features and the community's commitment 
allow packaging these in a principled way.

Before I use these packages to browse untrusted websites, I wanted to 
double check that it is safe to do so. According to [0] we are using Qt 
5.12.6 which is the latest LTS. I agree with the assessment there that 
that's pretty good. However the messaging from Qt, "We do update to the 
latest Chromium version in use before a Qt release. After a release some 
bug fixes and security patches are backported. For LTS releases of Qt we 
might also update Chromium in a patch level release," [1] makes me less 
sure that qtwebengine will continue to be secure over the lifetime of a Qt 
release. qtwebengine at 69.0.3497.128 already seems to be behind our 
ungoogled-chromium package at 78.0.3904.108.

[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine

I'm also curious how Qt releases will be handled in Guix. Can they go 
directly to master, or will they need to go through a staging or 
core-updates cycles.

So summarize, do we think it's prudent to expose our qtwebengine to random 
web pages? Thanks for your thoughts and all the hard work!

Best,
Jack

Re: qtwebengine support/security status

[Jack Hill]

On Mon, 20 Jan 2020, Jack Hill wrote:

> Hi Guix,
>
> Thanks to Mike and everyone for working on qtwebengine and qutebrowser. I'm 
> happy and thankful that Guix's features and the community's commitment allow 
> packaging these in a principled way.
>
> Before I use these packages to browse untrusted websites, I wanted to double 
> check that it is safe to do so. According to [0] we are using Qt 5.12.6 which 
> is the latest LTS. I agree with the assessment there that that's pretty good. 
> However the messaging from Qt, "We do update to the latest Chromium version 
> in use before a Qt release. After a release some bug fixes and security 
> patches are backported. For LTS releases of Qt we might also update Chromium 
> in a patch level release," [1] makes me less sure that qtwebengine will 
> continue to be secure over the lifetime of a Qt release. qtwebengine at 
> 69.0.3497.128 already seems to be behind our ungoogled-chromium package at 
> 78.0.3904.108.
>
> [0] https://issues.guix.gnu.org/issue/38148#5
> [1] https://wiki.qt.io/QtWebEngine
>
> I'm also curious how Qt releases will be handled in Guix. Can they go 
> directly to master, or will they need to go through a staging or core-updates 
> cycles.
>
> So summarize, do we think it's prudent to expose our qtwebengine to random 
> web pages? Thanks for your thoughts and all the hard work!

I also asked about this on the #qutebrowser IRC channel as well. 
The_Compiler, qutebrowser's primary developer said,

"""
< The-Compiler> jackhill: they do backport security fixes since Qt 
5.12 is an LTS release, but it's mostly a "best effort" kind of thing

< The-Compiler> jackhill: I use (and recommend) the latest Qt 
release as soon as show-stopper bugs are fixed, usually in the .1 release 
(and for Archlinux I ask the packager to backport patches)
"""

Does this mean that we should keep the latest qtwebengine for web browsers 
as well?

Best,
Jack