On Mon, 20 Jan 2020, Jack Hill wrote:
Hi Guix,
Thanks to Mike and everyone for working on qtwebengine and qutebrowser. I'm
happy and thankful that Guix's features and the community's commitment allow
packaging these in a principled way.
Before I use these packages to browse untrusted websites, I wanted to double
check that it is safe to do so. According to [0] we are using Qt 5.12.6 which
is the latest LTS. I agree with the assessment there that that's pretty good.
However the messaging from Qt, "We do update to the latest Chromium version
in use before a Qt release. After a release some bug fixes and security
patches are backported. For LTS releases of Qt we might also update Chromium
in a patch level release," [1] makes me less sure that qtwebengine will
continue to be secure over the lifetime of a Qt release. qtwebengine at
69.0.3497.128 already seems to be behind our ungoogled-chromium package at
78.0.3904.108.
[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine
I'm also curious how Qt releases will be handled in Guix. Can they go
directly to master, or will they need to go through a staging or core-updates
cycles.
So summarize, do we think it's prudent to expose our qtwebengine to random
web pages? Thanks for your thoughts and all the hard work!
I also asked about this on the #qutebrowser IRC channel as well.
The_Compiler, qutebrowser's primary developer said,
"""
< The-Compiler> jackhill: they do backport security fixes since Qt
5.12 is an LTS release, but it's mostly a "best effort" kind of thing
< The-Compiler> jackhill: I use (and recommend) the latest Qt
release as soon as show-stopper bugs are fixed, usually in the .1 release
(and for Archlinux I ask the packager to backport patches)
"""
Does this mean that we should keep the latest qtwebengine for web browsers
as well?
Best,
Jack
