From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Staying on top of Qt security Date: Sun, 14 Feb 2016 15:01:43 -0500 Message-ID: <20160214200143.GA19744@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33729) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aV2rV-0004s1-V8 for guix-devel@gnu.org; Sun, 14 Feb 2016 15:01:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aV2rS-0001Qc-OZ for guix-devel@gnu.org; Sun, 14 Feb 2016 15:01:41 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:47291) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aV2rS-0001QT-Ig for guix-devel@gnu.org; Sun, 14 Feb 2016 15:01:38 -0500 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 827F0680195 for ; Sun, 14 Feb 2016 15:01:37 -0500 (EST) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org It's been pointed out in the past that Qt [0] bundles many other softare distributions, making it more difficult to fully apply security updates. One would have to *know* what software was bundled and be sure to update the bundled copy along with the standalone copy. I asked for guidance on #qt [2] and they pointed me to their security policy: https://wiki.qt.io/Qt_project_security_policy The salient points are: 1) Security updates are only guaranteed for the latest version, and the preceding minor version. Updates may be issued for earlier versions but there is no commitment from Qt on this subject. 2) Security problems will be publicly disclosed to the annouce@qt-project.org mailing list. 3) There is an early notification system for those who need it, such as distribution packagers (like us) on a private security-annouce mailing list. We currently package qt-4.8.7 and qt-5.5.1. My interpretation of Qt's policy is that 4.x is unsupported, while 5.5 is supported, but I might be wrong; their website is a real maze. I think we need a Qt champion(s) for Guix. Here is what I think this person should do: 1) Get on the Qt security-announce list so that we can patch bugs before they are disclosed. 2) Figure out *what* 3rd party software is bundled by Qt and try to make Qt use external versions of this software. This will go a long way to making our Qt packaging secure. 3) Manage the process of removing unsupported versions of Qt. This means upgraded dependent packages once they support the latest Qt release. [3] 4) Help us decide what do about about Qt dependent packages that only work with unsupported versions of Qt. This is my first time thinking about this sort of issue, so it's quite possible that my recommendations are wrong or incomplete! Your thoughts? Any takers? [0] http://www.qt.io/ [1] https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html [2] irc://irc.freenode.net/qt [3] $ guix refresh -l qt-4 Building the following 18 packages would ensure 24 dependent packages are rebuilt: soprano-2.9.4 python2-pyqt-4.11.4 polkit-qt-1-0.112.0 frescobaldi-2.18.1 keepassx-2.0.2 hydrogen-0.9.5.1 strigi-0.7.8 attica-0.4.2 pumpa-0.9.2 libdbusmenu-qt-0.9.2 phonon-4.8.3 brdf-explorer-17 gpsbabel-1.5.0 librecad-2.0.6-rc alsa-modular-synth-2.1.2 qtractor-0.7.3 ardour-4.4 jalv-1.4.6