GNU bug report logs - #21288
Qt's bundled libraries must not be used

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Tue, 18 Aug 2015 14:54:01 UTC

Severity: normal

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21288 in the body.
You can then email your comments to 21288 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#21288; Package guix. (Tue, 18 Aug 2015 14:54:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 18 Aug 2015 14:54:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: bug-guix <at> gnu.org
Subject: Qt's bundled libraries must not be used
Date: Tue, 18 Aug 2015 16:53:21 +0200

The bundled libraries in Qt are an obvious security issues, among other
concerns.  This bug is to keep track of progress removing those bundled
libraries (esp. in Qt 5.)

For background, see:

  https://lists.gnu.org/archive/html/guix-devel/2015-06/msg00302.html
  https://lists.gnu.org/archive/html/guix-devel/2015-08/msg00018.html

Ludo’.
Information forwarded to bug-guix <at> gnu.org:
bug#21288; Package guix. (Sun, 04 Oct 2015 10:51:02 GMT) Full text and rfc822 format available.

Message #8 received at 21288 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21288 <at> debbugs.gnu.org
Subject: Re: bug#21288: Qt's bundled libraries must not be used
Date: Sun, 4 Oct 2015 12:49:55 +0200

Commit 7431ede removes the webkit module from qt-4.

Andreas
Information forwarded to bug-guix <at> gnu.org:
bug#21288; Package guix. (Sun, 04 Oct 2015 21:06:01 GMT) Full text and rfc822 format available.

Message #11 received at 21288 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 21288 <at> debbugs.gnu.org
Subject: Re: bug#21288: Qt's bundled libraries must not be used
Date: Sun, 4 Oct 2015 23:05:42 +0200

Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
copy from our source code (the one called harfbuzz-ng; strangely, there is
another one, called harfbuzz, without which the package does not compile).

Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
used before).

Some other system libraries are already used automatically; to make things
clearer, we could also remove their source code (from the corresponding
3rdparty/ subdirectories).

Andreas
Information forwarded to bug-guix <at> gnu.org:
bug#21288; Package guix. (Mon, 05 Oct 2015 02:10:02 GMT) Full text and rfc822 format available.

Message #14 received at 21288 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 21288 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: bug#21288: Qt's bundled libraries must not be used
Date: Sun, 04 Oct 2015 22:09:03 -0400

Hi Andreas,

Andreas Enge <andreas <at> enge.fr> writes:

> Commit bc554b4 compiles qt-5 with the system harfbuzz and removes a bundled
> copy from our source code (the one called harfbuzz-ng; strangely, there is
> another one, called harfbuzz, without which the package does not compile).
>
> Commit 9c32e1f removes the bundled sqlite copy (the system sqlite was already
> used before).

Sounds good, thank you!

> Some other system libraries are already used automatically; to make things
> clearer, we could also remove their source code (from the corresponding
> 3rdparty/ subdirectories).

Yes, I think we should remove as many bundled libraries as possible.
Even if the build system does not use the bundled libFOO today, a future
version might start using it, and so when there's a security flaw found
in libFOO, we will have to double-check to make sure it's really not
being used.  It's much easier to just remove the bundled copies.

What do you think?

      Mark
Reply sent to Efraim Flashner <efraim <at> flashner.co.il>:
You have taken responsibility. (Wed, 13 May 2020 19:16:02 GMT) Full text and rfc822 format available.
Notification sent to ludo <at> gnu.org (Ludovic Courtès):
bug acknowledged by developer. (Wed, 13 May 2020 19:16:02 GMT) Full text and rfc822 format available.

Message #19 received at 21288-done <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: 21288-done <at> debbugs.gnu.org
Subject: Qt's bundled libraries must not be used
Date: Wed, 13 May 2020 22:14:53 +0300

[Message part 1 (text/plain, inline)]
I think in the intervening 4.5 years we've done a good job of removing
the bundled libraries from qt-4 and qt-5 and then qtbase. I'm going to
consider this bug a success. The note in the snippet says there are a
few more bundled libraries, like md5 and sha3 (and harfbuzz) but we've
otherwise done a great job on this one.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 11 Jun 2020 11:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 289 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.