guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help needed with security updates for Qt


From: 宋文武
Subject: Re: Help needed with security updates for Qt
Date: Fri, 19 Jun 2015 20:58:30 +0800
User-agent: Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-unknown-linux-gnu)

Mark H Weaver <address@hidden> writes:

> Hi,
>
> Qt includes bundled copies of a *lot* of stuff.  Among other things, it
> bundles Chromium, which also bundles a lot of stuff.  Someone who cares
> about Qt needs to be on top of security updates for the things it
> bundles.
>
> Better yet, we should try to get it to use our system copies of
> libraries whenever possible.
Yes, as I know, the remains bundled libraries are:
  pcre, need build with '--enable-pcre16'
  jasper, not packaged yet, and need various security patches
  leveldb, not packaged yet
  harfbuzz, libtiff and libwebp

And for Qt5, the QtWebEngine bundled Chromium.
>
> I'm aware of security updates for Chromium since the versions of Qt in
> Guix were released.  There are probably many others as well.
>
> If we make a separate Chromium package, then beware that there will
> probably be FSDG issues that need to be addressed, e.g. offering to
> install non-free software like flash, video codecs or plugins.  It may
> be that we need to address these issues even if we don't make a separate
> Chromium package, depending on how Qt uses it.
>
> There's also stuff like this:
>
>   "chromium: unconditionally downloads binary blob"
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
>
> It's a big hairy mess, and to be honest I don't want to touch Qt with a
> ten foot pole.  Someone who cares about Qt needs to get on top of this.
I'd like to try re-package qt5 with submodules, and drop QtWebEngine.
As same as Debian and NixOS did.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]