Hi Guix,
Thanks to Mike and everyone for working on qtwebengine and qutebrowser.
I'm happy and thankful that Guix's features and the community's commitment
allow packaging these in a principled way.
Before I use these packages to browse untrusted websites, I wanted to
double check that it is safe to do so. According to [0] we are using Qt
5.12.6 which is the latest LTS. I agree with the assessment there that
that's pretty good. However the messaging from Qt, "We do update to the
latest Chromium version in use before a Qt release. After a release some
bug fixes and security patches are backported. For LTS releases of Qt we
might also update Chromium in a patch level release," [1] makes me less
sure that qtwebengine will continue to be secure over the lifetime of a Qt
release. qtwebengine at 69.0.3497.128 already seems to be behind our
ungoogled-chromium package at 78.0.3904.108.
[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine
I'm also curious how Qt releases will be handled in Guix. Can they go
directly to master, or will they need to go through a staging or
core-updates cycles.
So summarize, do we think it's prudent to expose our qtwebengine to random
web pages? Thanks for your thoughts and all the hard work!
Best,
Jack
