From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jack Hill <jackhill@jackhill.us>
Subject: qtwebengine support/security status
Date: Mon, 20 Jan 2020 21:35:45 -0500 (EST)
Message-ID: <alpine.DEB.2.20.2001202113060.11560@marsh.hcoop.net>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:49048)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <jackhill@jackhill.us>) id 1itjON-0004yC-LJ
 for help-guix@gnu.org; Mon, 20 Jan 2020 21:35:48 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <jackhill@jackhill.us>) id 1itjOM-0005x1-7x
 for help-guix@gnu.org; Mon, 20 Jan 2020 21:35:47 -0500
Received: from minsky.hcoop.net ([104.248.1.95]:36290)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <jackhill@jackhill.us>)
 id 1itjOM-0005wZ-4L
 for help-guix@gnu.org; Mon, 20 Jan 2020 21:35:46 -0500
Received: from marsh.hcoop.net ([45.55.52.66])
 by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <jackhill@jackhill.us>)
 id 1itjOL-0003rz-Ce
 for help-guix@gnu.org; Mon, 20 Jan 2020 21:35:45 -0500
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org>
To: help-guix@gnu.org

Hi Guix,

Thanks to Mike and everyone for working on qtwebengine and qutebrowser. 
I'm happy and thankful that Guix's features and the community's commitment 
allow packaging these in a principled way.

Before I use these packages to browse untrusted websites, I wanted to 
double check that it is safe to do so. According to [0] we are using Qt 
5.12.6 which is the latest LTS. I agree with the assessment there that 
that's pretty good. However the messaging from Qt, "We do update to the 
latest Chromium version in use before a Qt release. After a release some 
bug fixes and security patches are backported. For LTS releases of Qt we 
might also update Chromium in a patch level release," [1] makes me less 
sure that qtwebengine will continue to be secure over the lifetime of a Qt 
release. qtwebengine at 69.0.3497.128 already seems to be behind our 
ungoogled-chromium package at 78.0.3904.108.

[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine

I'm also curious how Qt releases will be handled in Guix. Can they go 
directly to master, or will they need to go through a staging or 
core-updates cycles.

So summarize, do we think it's prudent to expose our qtwebengine to random 
web pages? Thanks for your thoughts and all the hard work!

Best,
Jack