Mark H Weaver <m...@netris.org> writes: > Hi, > > Qt includes bundled copies of a *lot* of stuff. Among other things, it > bundles Chromium, which also bundles a lot of stuff. Someone who cares > about Qt needs to be on top of security updates for the things it > bundles. > > Better yet, we should try to get it to use our system copies of > libraries whenever possible. Yes, as I know, the remains bundled libraries are: pcre, need build with '--enable-pcre16' jasper, not packaged yet, and need various security patches leveldb, not packaged yet harfbuzz, libtiff and libwebp
And for Qt5, the QtWebEngine bundled Chromium. > > I'm aware of security updates for Chromium since the versions of Qt in > Guix were released. There are probably many others as well. > > If we make a separate Chromium package, then beware that there will > probably be FSDG issues that need to be addressed, e.g. offering to > install non-free software like flash, video codecs or plugins. It may > be that we need to address these issues even if we don't make a separate > Chromium package, depending on how Qt uses it. > > There's also stuff like this: > > "chromium: unconditionally downloads binary blob" > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909 > > It's a big hairy mess, and to be honest I don't want to touch Qt with a > ten foot pole. Someone who cares about Qt needs to get on top of this. I'd like to try re-package qt5 with submodules, and drop QtWebEngine. As same as Debian and NixOS did.
