Re: Help needed with security updates for Qt

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: 宋文武 <iyzsong@gmail.com>
To: Mark H Weaver <mhw@netris.org>, Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: Help needed with security updates for Qt
Date: Fri, 19 Jun 2015 20:58:30 +0800	[thread overview]
Message-ID: <87k2uzlurt.fsf@gmail.com> (raw)
In-Reply-To: <87mvzzg2f3.fsf@netris.org>

Mark H Weaver <mhw@netris.org> writes:

> Hi,
>
> Qt includes bundled copies of a *lot* of stuff.  Among other things, it
> bundles Chromium, which also bundles a lot of stuff.  Someone who cares
> about Qt needs to be on top of security updates for the things it
> bundles.
>
> Better yet, we should try to get it to use our system copies of
> libraries whenever possible.
Yes, as I know, the remains bundled libraries are:
  pcre, need build with '--enable-pcre16'
  jasper, not packaged yet, and need various security patches
  leveldb, not packaged yet
  harfbuzz, libtiff and libwebp

And for Qt5, the QtWebEngine bundled Chromium.
>
> I'm aware of security updates for Chromium since the versions of Qt in
> Guix were released.  There are probably many others as well.
>
> If we make a separate Chromium package, then beware that there will
> probably be FSDG issues that need to be addressed, e.g. offering to
> install non-free software like flash, video codecs or plugins.  It may
> be that we need to address these issues even if we don't make a separate
> Chromium package, depending on how Qt uses it.
>
> There's also stuff like this:
>
>   "chromium: unconditionally downloads binary blob"
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
>
> It's a big hairy mess, and to be honest I don't want to touch Qt with a
> ten foot pole.  Someone who cares about Qt needs to get on top of this.
I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
As same as Debian and NixOS did.

next prev parent reply	other threads:[~2015-06-19 12:57 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-16 14:20 Help needed with security updates for Qt Mark H Weaver
2015-06-18 12:30 ` Ludovic Courtès
2015-06-19 12:58 ` 宋文武 [this message]
2015-06-19 13:29   ` Ludovic Courtès
2015-06-20 14:14     ` 宋文武
2015-06-21 21:15       ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87k2uzlurt.fsf@gmail.com \
    --to=iyzsong@gmail.com \
    --cc=andreas@enge.fr \
    --cc=guix-devel@gnu.org \
    --cc=mhw@netris.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.