Re: Security updates for bundled copies of libraries in Qt

[Andreas Enge]

Hello,

On Sun, Aug 02, 2015 at 03:24:18PM -0400, Mark H Weaver wrote:
> Andreas Enge <address@hidden> writes:
> > In any case, feel free to implement a more modular qt, for me
> > this is not a priority.
> 
> Fair enough, but consider this: IMO, the most severe problem with using
> bundled copies of libraries has to do with security updates.  We have
> yet to develop a security policy, but in my opinion we should not allow
> software with known security flaws to remain in Guix for more than a
> short time.  Either someone must take responsibility for applying
> security fixes to a given package, or else that package should be
> removed.  Does that make sense?

bundled copies are definitely very annoying, and I agree we should try
to avoid them. But the question on whether Qt should be built in a modular
fashion (supposedly, that would mean that there would be different output
packages with different libraries?) is orthogonal to the problem of bundled
libraries, if I understand things correctly.

Already now, we can drop modules from our build, as we did for
qtwebengine bundlind chromium. Are there others we should drop?

> In the meantime, I honestly have no idea what security holes exist in
> our Qt packages, so I've purged all software that depends on Qt from my
> system.

I think it would be nice if we could drop qt-4; I recently switched vlc over
to qt-5.

Could you maybe try if our current qt-5 package could be enabled on mips?
My one-core machine is so incredibly slow that I do not have the courage
to try compiling there...

> I've been doing my best to apply security fixes to Guix in a timely
> fashion -- which turns out to be a big job and I could use more help

How do you do it? Are you subscribed to the CVEs, or do you look them
up manually? Could the search for them be automated for our packages?

Andreas