* bug#21288: Qt's bundled libraries must not be used
@ 2015-08-18 14:53 Ludovic Courtès
2015-10-04 10:49 ` Andreas Enge
2020-05-13 19:14 ` Efraim Flashner
0 siblings, 2 replies; 5+ messages in thread
From: Ludovic Courtès @ 2015-08-18 14:53 UTC (permalink / raw)
To: 21288
The bundled libraries in Qt are an obvious security issues, among other
concerns. This bug is to keep track of progress removing those bundled
libraries (esp. in Qt 5.)
For background, see:
https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html
https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html
Ludo’.
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#21288: Qt's bundled libraries must not be used
2015-08-18 14:53 bug#21288: Qt's bundled libraries must not be used Ludovic Courtès
@ 2015-10-04 10:49 ` Andreas Enge
2015-10-04 21:05 ` Andreas Enge
2020-05-13 19:14 ` Efraim Flashner
1 sibling, 1 reply; 5+ messages in thread
From: Andreas Enge @ 2015-10-04 10:49 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 21288
Commit 7431ede removes the webkit module from qt-4.
Andreas
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#21288: Qt's bundled libraries must not be used
2015-10-04 10:49 ` Andreas Enge
@ 2015-10-04 21:05 ` Andreas Enge
2015-10-05 2:09 ` Mark H Weaver
0 siblings, 1 reply; 5+ messages in thread
From: Andreas Enge @ 2015-10-04 21:05 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 21288
Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
copy from our source code (the one called harfbuzz-ng; strangely, there is
another one, called harfbuzz, without which the package does not compile).
Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
used before).
Some other system libraries are already used automatically; to make things
clearer, we could also remove their source code (from the corresponding
3rdparty/ subdirectories).
Andreas
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#21288: Qt's bundled libraries must not be used
2015-10-04 21:05 ` Andreas Enge
@ 2015-10-05 2:09 ` Mark H Weaver
0 siblings, 0 replies; 5+ messages in thread
From: Mark H Weaver @ 2015-10-05 2:09 UTC (permalink / raw)
To: Andreas Enge; +Cc: 21288
Hi Andreas,
Andreas Enge <andreas@enge.fr> writes:
> Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
> copy from our source code (the one called harfbuzz-ng; strangely, there is
> another one, called harfbuzz, without which the package does not compile).
>
> Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
> used before).
Sounds good, thank you!
> Some other system libraries are already used automatically; to make things
> clearer, we could also remove their source code (from the corresponding
> 3rdparty/ subdirectories).
Yes, I think we should remove as many bundled libraries as possible.
Even if the build system does not use the bundled libFOO today, a future
version might start using it, and so when there's a security flaw found
in libFOO, we will have to double-check to make sure it's really not
being used. It's much easier to just remove the bundled copies.
What do you think?
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#21288: Qt's bundled libraries must not be used
2015-08-18 14:53 bug#21288: Qt's bundled libraries must not be used Ludovic Courtès
2015-10-04 10:49 ` Andreas Enge
@ 2020-05-13 19:14 ` Efraim Flashner
1 sibling, 0 replies; 5+ messages in thread
From: Efraim Flashner @ 2020-05-13 19:14 UTC (permalink / raw)
To: 21288-done
[-- Attachment #1: Type: text/plain, Size: 541 bytes --]
I think in the intervening 4.5 years we've done a good job of removing
the bundled libraries from qt-4 and qt-5 and then qtbase. I'm going to
consider this bug a success. The note in the snippet says there are a
few more bundled libraries, like md5 and sha3 (and harfbuzz) but we've
otherwise done a great job on this one.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-13 19:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-18 14:53 bug#21288: Qt's bundled libraries must not be used Ludovic Courtès
2015-10-04 10:49 ` Andreas Enge
2015-10-04 21:05 ` Andreas Enge
2015-10-05 2:09 ` Mark H Weaver
2020-05-13 19:14 ` Efraim Flashner
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.