Demi Marie Obenour wrote:
> Arch uses the upstream *source* code, but not the binaries, if I
> understand correctly. They just don’t have anywhere near as many
> patches as Fedora does. I suspect this is a combination of factors.
> First, Arch builds use clang and more bundled libraries, so they are
> more similar to what Google itself uses and break less often. Second,
> Arch has zero problems with shipping patent-encumbered media codecs, as
> (if I recall correctly) Arch is based in a nation where such patents
> simply are not enforceable. So they can just use the codecs that
> Chromium comes with already.
Arch also has the AUR where there are plenty of "packages" that just
repackage somebody else's binaries. They are a lot less strict about
packaging only verifiably Free Software. But building from source is the
only way to ensure that the binaries are actually compiled from that exact
source code. (Then of course you also have to trust the compiler, but that
is another story.)
As for the issue of Chromium patches, well, they are all there for a reason:
some due to legal requirements, some because Fedora (especially Rawhide)
tends to ship a newer glibc than what upstream Google tested with, which
tends to break their seccomp sandbox every so often, etc. (Note that
QtWebEngine tends to have fewer patches than Chromium, also because Qt
applies some of those patches in their bundled Chromium.)
> Electron is going to be a nightmare for all sorts of other reasons,
> starting with the need to rebuild all of the minified JavaScript,
> CSS, and HTML from unminified source code.
Electron is a pain in the neck and I do not want to spend my time packaging
it, but it looks like we have a volunteer attempting it now.
> Can Fedora just reuse the upstream QtWebEngine build scripts?
What build scripts do you want to reuse? Of course we use the qmake (in Qt
5, CMake in Qt 6, but we do not have QtWebEngine 6 packaged yet) build
system that they wrote. There are not really any upstream build scripts we
can use beyond that.
> What would it take to get tall of the users of QtWebEngine onto 6.2? I
> don’t think Fedora should ship any version of QtWebEngine except the
> latest, since only the latest version appears to get regular patches.
Well, even 6.2 does not get patches as regularly as you expect. As I said,
the CVEs you listed will be fixed in Qt 6.2.4, which is still not released
yet.
QtWebEngine 5.15 does also still get LTS releases with security fixes (and
the LTS branches of QtWebEngine and its qtwebengine-chromium submodule are
public and LGPL-licensed). Just not as frequently. Only when they release a
Qt 5.15.x commercial LTS.
And moving all the users to QtWebEngine 6 is not going to happen overnight,
because it means moving them completely to Qt 6. In particular, if they use
KF5 libraries, they will also need to move to the KF6 equivalents, and there
is no KF6 release yet at all that they could move to.
> Yeah, but for QtWebEngine I imagine much of the work is handled by The
> Qt Company and Fedora can just reuse their build scripts.
If you think a turnaround time of > 1 month for security fixes is too long,
then we would have to do our own backports though, because 1+ month(s) is
quite normal for the latest Qt branch, LTS branches are even slower.
And rebasing QtWebEngine to a newer Chromium is even harder than backporting
security fixes to the existing branch.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
