Help needed with security updates for Qt

Help needed with security updates for Qt

[Mark H Weaver]

Hi,

Qt includes bundled copies of a *lot* of stuff.  Among other things, it
bundles Chromium, which also bundles a lot of stuff.  Someone who cares
about Qt needs to be on top of security updates for the things it
bundles.

Better yet, we should try to get it to use our system copies of
libraries whenever possible.

I'm aware of security updates for Chromium since the versions of Qt in
Guix were released.  There are probably many others as well.

If we make a separate Chromium package, then beware that there will
probably be FSDG issues that need to be addressed, e.g. offering to
install non-free software like flash, video codecs or plugins.  It may
be that we need to address these issues even if we don't make a separate
Chromium package, depending on how Qt uses it.

There's also stuff like this:

  "chromium: unconditionally downloads binary blob"
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909

It's a big hairy mess, and to be honest I don't want to touch Qt with a
ten foot pole.  Someone who cares about Qt needs to get on top of this.

Any takers?

      Mark

Re: Help needed with security updates for Qt

[Ludovic Courtès]

I’m not really taking the offer ;-), but I agree that it’s crucial to
“do something about it.”

Chromium may be the most difficult of those bundled dependencies, but
there are probably others that are easier to get rid of, as a starter.

I hope we can share work with Debian and other distros that care.  Has
anyone checked how they’re dealing with it and what the amount of custom
patches is?

Ludo’.

Re: Help needed with security updates for Qt

[宋文武]

Mark H Weaver <mhw@netris.org> writes:

> Hi,
>
> Qt includes bundled copies of a *lot* of stuff.  Among other things, it
> bundles Chromium, which also bundles a lot of stuff.  Someone who cares
> about Qt needs to be on top of security updates for the things it
> bundles.
>
> Better yet, we should try to get it to use our system copies of
> libraries whenever possible.
Yes, as I know, the remains bundled libraries are:
  pcre, need build with '--enable-pcre16'
  jasper, not packaged yet, and need various security patches
  leveldb, not packaged yet
  harfbuzz, libtiff and libwebp

And for Qt5, the QtWebEngine bundled Chromium.
>
> I'm aware of security updates for Chromium since the versions of Qt in
> Guix were released.  There are probably many others as well.
>
> If we make a separate Chromium package, then beware that there will
> probably be FSDG issues that need to be addressed, e.g. offering to
> install non-free software like flash, video codecs or plugins.  It may
> be that we need to address these issues even if we don't make a separate
> Chromium package, depending on how Qt uses it.
>
> There's also stuff like this:
>
>   "chromium: unconditionally downloads binary blob"
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
>
> It's a big hairy mess, and to be honest I don't want to touch Qt with a
> ten foot pole.  Someone who cares about Qt needs to get on top of this.
I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
As same as Debian and NixOS did.

Re: Help needed with security updates for Qt

[Ludovic Courtès]

宋文武 <iyzsong@gmail.com> skribis:

> Mark H Weaver <mhw@netris.org> writes:

[...]

>> Better yet, we should try to get it to use our system copies of
>> libraries whenever possible.
> Yes, as I know, the remains bundled libraries are:
>   pcre, need build with '--enable-pcre16'
>   jasper, not packaged yet, and need various security patches
>   leveldb, not packaged yet
>   harfbuzz, libtiff and libwebp

Sounds doable.

> I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
> As same as Debian and NixOS did.

And Fedora.  Ricardo found this insightful discussion:

  http://lists.qt-project.org/pipermail/development/2015-February/019960.html

+1 for removing QtWebEngine and thus have a snippet that removes the
bundled Chromium altogether.

Thanks,
Ludo’.

Re: Help needed with security updates for Qt

[宋文武]

Ludovic Courtès <ludo@gnu.org> writes:

> [...]
>
>> I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
>> As same as Debian and NixOS did.
>
> And Fedora.  Ricardo found this insightful discussion:
>
>   http://lists.qt-project.org/pipermail/development/2015-February/019960.html
>
> +1 for removing QtWebEngine and thus have a snippet that removes the
> bundled Chromium altogether.
Well, by build with submodule tarballs [1], Qt5 will split into various
packages:
  qtbase, qtsvg, qtx11extras, etc.
The current monolithic qt package will be deprecated.

It seems that some hacks are needed, basically:
  - when build:
    Make a 'qt.conf' and union the releated 'lib' and 'mkspecs' for
    qmake.  Should do in 'qmake-build-system'.
    FYI: nixpkgs's recipes [2] and qmake reference [3].
    
  - when run:
    Set 'QT_PLUGIN_PATH' and other variables with wrapper and/or
    profile envs.

And I believe this have to be done if we want to package KDE5,
since KF5 is a set of plugins for Qt.

[1] http://download.qt.io/official_releases/qt/5.4/5.4.2/submodules/
[2] https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/qt-5/5.4/setup-hook.sh
[3] http://doc.qt.io/qt-5/qmake-environment-reference.html#qmakespec

Re: Help needed with security updates for Qt

[Ludovic Courtès]

宋文武 <iyzsong@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> [...]
>>
>>> I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
>>> As same as Debian and NixOS did.
>>
>> And Fedora.  Ricardo found this insightful discussion:
>>
>>   http://lists.qt-project.org/pipermail/development/2015-February/019960.html
>>
>> +1 for removing QtWebEngine and thus have a snippet that removes the
>> bundled Chromium altogether.
> Well, by build with submodule tarballs [1], Qt5 will split into various
> packages:
>   qtbase, qtsvg, qtx11extras, etc.
> The current monolithic qt package will be deprecated.

Ah OK, didn’t know that.

> It seems that some hacks are needed, basically:
>   - when build:
>     Make a 'qt.conf' and union the releated 'lib' and 'mkspecs' for
>     qmake.  Should do in 'qmake-build-system'.
>     FYI: nixpkgs's recipes [2] and qmake reference [3].
>     
>   - when run:
>     Set 'QT_PLUGIN_PATH' and other variables with wrapper and/or
>     profile envs.
>
> And I believe this have to be done if we want to package KDE5,
> since KF5 is a set of plugins for Qt.

Sounds like a good plan.  Thanks for looking into it!

Ludo’.