Mustafa Muhammad wrote: > The biggest problem I see (bigger than extensions, which I care about > a lot), is security updates, will QtWebEngine be updated immediately > with upstream Chromium (Blink)? > > "This version of Qt WebEngine is based on Chromium snapshot version > 45.0.2554.101, with additional security fixes from the 46, 47 and 48 > branches of the Chromium Project." [1] This is the typical example of a statement that was accurate when written, but has become obsolete, or at least misleadingly incomplete. > What about 49, 50, 51? Chrome 48, based on Chromium 48, was release on > January 20, 2016, (best thing I found regarding Chromium 48 was Nov > 13th, 2015 from [3]) > > This is several months (6~8) worth of "known" security > vulnerabilities, fixed upstream in later releases. > If they reach QtWebEngine in a timely manner, this should be OK, if we > wait for the next QtWebEngine, this is not acceptable. Qt continuously backports Chromium security fixes to the stable Qt branches. See e.g.: http://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=45-based (5.6) http://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=49-based (5.7) They are released with every bugfix release of Qt (5.6.1, 5.6.2, …). I suppose that for really critical fixes, a separate advisory or even an unscheduled Qt release would be made, as is done for all the other Qt components. Kevin Kofler _______________________________________________ kde mailing list kde@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/kde@xxxxxxxxxxxxxxxxxxxxxxx
