From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jack Hill Subject: Re: qtwebengine support/security status Date: Tue, 21 Jan 2020 13:29:00 -0500 (EST) Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:54795) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ityGv-00073Z-7E for help-guix@gnu.org; Tue, 21 Jan 2020 13:29:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ityGr-0000w2-Mk for help-guix@gnu.org; Tue, 21 Jan 2020 13:29:05 -0500 Received: from minsky.hcoop.net ([104.248.1.95]:45484) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ityGr-0000vd-Jq for help-guix@gnu.org; Tue, 21 Jan 2020 13:29:01 -0500 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ityGq-00010o-Vk for help-guix@gnu.org; Tue, 21 Jan 2020 13:29:00 -0500 In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org Sender: "Help-Guix" To: help-guix@gnu.org On Mon, 20 Jan 2020, Jack Hill wrote: > Hi Guix, > > Thanks to Mike and everyone for working on qtwebengine and qutebrowser. I'm > happy and thankful that Guix's features and the community's commitment allow > packaging these in a principled way. > > Before I use these packages to browse untrusted websites, I wanted to double > check that it is safe to do so. According to [0] we are using Qt 5.12.6 which > is the latest LTS. I agree with the assessment there that that's pretty good. > However the messaging from Qt, "We do update to the latest Chromium version > in use before a Qt release. After a release some bug fixes and security > patches are backported. For LTS releases of Qt we might also update Chromium > in a patch level release," [1] makes me less sure that qtwebengine will > continue to be secure over the lifetime of a Qt release. qtwebengine at > 69.0.3497.128 already seems to be behind our ungoogled-chromium package at > 78.0.3904.108. > > [0] https://issues.guix.gnu.org/issue/38148#5 > [1] https://wiki.qt.io/QtWebEngine > > I'm also curious how Qt releases will be handled in Guix. Can they go > directly to master, or will they need to go through a staging or core-updates > cycles. > > So summarize, do we think it's prudent to expose our qtwebengine to random > web pages? Thanks for your thoughts and all the hard work! I also asked about this on the #qutebrowser IRC channel as well. The_Compiler, qutebrowser's primary developer said, """ < The-Compiler> jackhill: they do backport security fixes since Qt 5.12 is an LTS release, but it's mostly a "best effort" kind of thing < The-Compiler> jackhill: I use (and recommend) the latest Qt release as soon as show-stopper bugs are fixed, usually in the .1 release (and for Archlinux I ask the packager to backport patches) """ Does this mean that we should keep the latest qtwebengine for web browsers as well? Best, Jack