help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

qtwebengine support/security status


From: Jack Hill
Subject: qtwebengine support/security status
Date: Mon, 20 Jan 2020 21:35:45 -0500 (EST)
User-agent: Alpine 2.20 (DEB 67 2015-01-07)

Hi Guix,

Thanks to Mike and everyone for working on qtwebengine and qutebrowser. I'm happy and thankful that Guix's features and the community's commitment allow packaging these in a principled way.

Before I use these packages to browse untrusted websites, I wanted to double check that it is safe to do so. According to [0] we are using Qt 5.12.6 which is the latest LTS. I agree with the assessment there that that's pretty good. However the messaging from Qt, "We do update to the latest Chromium version in use before a Qt release. After a release some bug fixes and security patches are backported. For LTS releases of Qt we might also update Chromium in a patch level release," [1] makes me less sure that qtwebengine will continue to be secure over the lifetime of a Qt release. qtwebengine at 69.0.3497.128 already seems to be behind our ungoogled-chromium package at 78.0.3904.108.

[0] https://issues.guix.gnu.org/issue/38148#5
[1] https://wiki.qt.io/QtWebEngine

I'm also curious how Qt releases will be handled in Guix. Can they go directly to master, or will they need to go through a staging or core-updates cycles.

So summarize, do we think it's prudent to expose our qtwebengine to random web pages? Thanks for your thoughts and all the hard work!

Best,
Jack



reply via email to

[Prev in Thread] Current Thread [Next in Thread]