Re: Fedora Linux 38 blocker status summary

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Demi Marie Obenour wrote:
> And is kept up to date, unlike QtWebEngine.  QtWebEngine is invariably
> behind on security patches.  I blame Google for not making embedded
> Chromium a first-class citizen.

Qt backports security fixes to its stable branches, a service Google is not 
offering by themselves. (Firefox, on the other hand, does support something 
comparable, with Firefox ESR, but Fedora chooses not to ship that.) Of 
course, backporting fixes takes time.

Even Qt 5 QtWebEngine (considered obsolete by Qt) still gets security fixes, 
and they are published in git under the LGPL as soon as the commercial Qt 
5.15.x LTS release is released. (In fact, they are pushed even earlier, as 
soon as they are backported by Qt developers, and the branch is then tagged 
when the commercial LTS is released. But the backports typically happen on 
the Qt release schedule, meaning they are usually only done in git when a Qt 
release is planned soon, not daily.)

Now, does that mean there is a delay between when the patch is released by 
Google and when it is released by Qt? Yes, it does. But we have actually 
been sitting longer on those security fixes in Fedora than Qt did, e.g., 
QtWebEngine 5.15.11 was never pushed, and 5.15.12 took 3+ weeks to get out 
to Fedora users. At that point, Fedora had been sitting on the 5.15.11 
security fixes for 3+ months, and missed the deadline for getting those out 
to users of Fedora 35 before its EOL. So before complaining about the 
delayed security fixes in Qt, we should focus on getting QtWebEngine 
releases out to users much faster (and the updates should always be tagged 
as "security", not "bugfix" or even "enhancement").

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux