Hi, QtWebEngine is used as the HTML component for many Qt applications, including large parts of the KDE software universe. It is used by web browsers such as Falkon, but also, e.g., by KMail/Kontact. The version that is currently (still) used the most is the Qt 5 version. There is also a Qt 6 version (has been there since 6.2), which is not currently packaged in Fedora at all. That, too, needs someone to pick up the work. But most of the relevant applications are still stuck on Qt 5 anyway, so this message will focus on the Qt 5 version. The qt5-qtwebengine package is currently maintained mainly by 2 people: Rex Dieter (rdieter) and me (kkofler). I used to be the primary maintainer, but had to resign from that a few years ago due to mainly lack of time. (There were at the time also some packaging details that I was unhappy with, but those have all since either been fixed or stopped being relevant. Lack of time is the big issue that is left.) At that point, Rex Dieter had picked up the package, but he clearly also lacks the time to really take care of it (see the evidence below). The package is also open to commits from all @kde- sig group members, but most of the work is done by the two admin-level maintainers, i.e., Rex and me. Qt releases a security update for 5.15.x every couple months. (There were around 2 months between 5.15.9 and 5.15.10, around 3 between 5.15.8 and 5.15.9.) While Qt 5.15.x LTS is mostly commercial-only (with ancient 1-year- old releases being released under the LGPL), this does not apply to QtWebEngine, which is based on third-party LGPL code (mostly the WebKit and KHTML code on which Chromium's Blink is based), and is hence available under the LGPL from the public git repository. (There are, however, no official tarballs until 1 year later, so we have a script to roll our own from git. We need a custom tarball with patent-encumbered stuff ripped out by a script anyway, so that just makes the tarball generation one more script to run first.) Since each 5.15.x release includes a whole bunch of backported security fixes, and not many other changes (should in principle be bugfix- only), it is imperative to get these out to our users as quickly as possible. Those security fixes are already delayed by weeks compared to Chromium upstream, we should not add our own lag to that. Now, when we look at how fast (or rather, how slow, sadly) Fedora has been to roll out qt5-qtwebengine security fixes to users of stable releases, the results are very disappointing, see: https://bugzilla.redhat.com/show_bug.cgi?id=2043381 https://bugzilla.redhat.com/show_bug.cgi?id=2079655 The current situation is that 5.15.10 has been tagged in git for almost two months. Yet, Rawhide is stuck at 5.15.9, and even that has so far not been pushed to the currently supported stable releases (Fedora 35 and 36), almost 4 months after it was tagged. So, since all current maintainers of qt5-qtwebengine, including me, are failing badly at keeping the package up to date with security fixes, this is an urgent plea for help. The current situation is not acceptable, any helping hands to improve on it would be extremely welcome. I have admin rights to the package, so I can add comaintainers that wish so. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
