Staying on top of Qt security

[Leo Famulari <leo@famulari.name>]

It's been pointed out in the past that Qt [0] bundles many other softare
distributions, making it more difficult to fully apply security updates.
One would have to *know* what software was bundled and be sure to update
the bundled copy along with the standalone copy.

I asked for guidance on #qt [2] and they pointed me to their security
policy:
https://wiki.qt.io/Qt_project_security_policy

The salient points are:

1) Security updates are only guaranteed for the latest version, and the
preceding minor version. Updates may be issued for earlier versions but
there is no commitment from Qt on this subject.

2) Security problems will be publicly disclosed to the
annouce@qt-project.org mailing list.

3) There is an early notification system for those who need it, such as
distribution packagers (like us) on a private security-annouce mailing
list.

We currently package qt-4.8.7 and qt-5.5.1. My interpretation of Qt's
policy is that 4.x is unsupported, while 5.5 is supported, but I might
be wrong; their website is a real maze.

I think we need a Qt champion(s) for Guix.

Here is what I think this person should do:

1) Get on the Qt security-announce list so that we can patch bugs before
they are disclosed.

2) Figure out *what* 3rd party software is bundled by Qt and try to make
Qt use external versions of this software. This will go a long way to
making our Qt packaging secure.

3) Manage the process of removing unsupported versions of Qt. This means
upgraded dependent packages once they support the latest Qt release. [3]

4) Help us decide what do about about Qt dependent packages that only
work with unsupported versions of Qt.

This is my first time thinking about this sort of issue, so it's
quite possible that my recommendations are wrong or incomplete!

Your thoughts? Any takers?

[0]
http://www.qt.io/

[1]
https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html
https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html

[2]
irc://irc.freenode.net/qt

[3]
$ guix refresh -l qt-4                        
Building the following 18 packages would ensure 24 dependent packages
are rebuilt: soprano-2.9.4 python2-pyqt-4.11.4 polkit-qt-1-0.112.0
frescobaldi-2.18.1 keepassx-2.0.2 hydrogen-0.9.5.1 strigi-0.7.8
attica-0.4.2 pumpa-0.9.2 libdbusmenu-qt-0.9.2 phonon-4.8.3
brdf-explorer-17 gpsbabel-1.5.0 librecad-2.0.6-rc
alsa-modular-synth-2.1.2 qtractor-0.7.3 ardour-4.4 jalv-1.4.6