Re: Staying on top of Qt security

[Andreas Enge]

Hi Leo,

thanks for your initiative!

On Sun, Feb 14, 2016 at 03:01:43PM -0500, Leo Famulari wrote:
> I think we need a Qt champion(s) for Guix.

I am not volunteering, mainly because I am not a Qt champion (but I am
interested in the package).

> $ guix refresh -l qt-4                        
> Building the following 18 packages would ensure 24 dependent packages
> are rebuilt: soprano-2.9.4 python2-pyqt-4.11.4 polkit-qt-1-0.112.0
> frescobaldi-2.18.1 keepassx-2.0.2 hydrogen-0.9.5.1 strigi-0.7.8
> attica-0.4.2 pumpa-0.9.2 libdbusmenu-qt-0.9.2 phonon-4.8.3
> brdf-explorer-17 gpsbabel-1.5.0 librecad-2.0.6-rc
> alsa-modular-synth-2.1.2 qtractor-0.7.3 ardour-4.4 jalv-1.4.6

Some of them have no dependent packages, and I think they are mainly or
exclusively used for KDE-4, which I started packaging a while ago (and
dropped again when I got my Novena, as it turns out that KDE is too
resource demanding). In any case, we would package KDE-5 now, and I would
suggest to simply remove these packages. There are traces in git, so if
it turns out we will need them in the end, we can still revive them.
This concerns:
attica soprano strigi polkit-qt automoc4 qjson libdbusmenu-qt
So while we are it it, I suggest to simply remove kde.scm (there is no use
in keeping a lonely oxygen-icons around...).

Also, python2-pyqt has no dependent package.

I looked at frescobaldi; they claim that a Qt-5 port is on the TODO list
for their version 3, but without giving any timings.

If there is no outcry, I will remove the above-mentioned packages/modules.

Could maybe people using the other packages have a look at them?

Chris, what about pumpa?

Andreas