Author: ken Date: Thu Mar 18 21:32:57 2021 New Revision: 24382 Log: Update qtwebengine to 5.15.3 from git.
This is a lot bigger and slower to build. Downgrade the 'Caution's in qtwebengien and falkon to 'Warning's. I am not yet suggesting we should deprecate those two packages, but users should start to ask themselves whether the want to use a package where the upstreams are happy to stick with python2 and have no interest in running on current glibc. Modified: trunk/BOOK/general.ent trunk/BOOK/introduction/welcome/changelog.xml trunk/BOOK/packages.ent trunk/BOOK/x/lib/qtwebengine.xml trunk/BOOK/xsoft/graphweb/falkon.xml Modified: trunk/BOOK/general.ent ============================================================================== --- trunk/BOOK/general.ent Wed Mar 17 10:54:14 2021 (r24381) +++ trunk/BOOK/general.ent Thu Mar 18 21:32:57 2021 (r24382) @@ -1,12 +1,12 @@ <!-- $LastChangedBy$ $Date$ --> -<!ENTITY day "17"> <!-- Always 2 digits --> +<!ENTITY day "18"> <!-- Always 2 digits --> <!ENTITY month "03"> <!-- Always 2 digits --> <!ENTITY year "2021"> <!ENTITY copyrightdate "2001-&year;"> <!ENTITY copyholder "The BLFS Development Team"> <!ENTITY version "&year;-&month;-&day;"> -<!ENTITY releasedate "March 17th, &year;"> +<!ENTITY releasedate "March 18th, &year;"> <!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP --> <!ENTITY blfs-version "svn"> <!-- svn|[release #] --> <!ENTITY lfs-version "development"> <!-- x.y|development --> Modified: trunk/BOOK/introduction/welcome/changelog.xml ============================================================================== --- trunk/BOOK/introduction/welcome/changelog.xml Wed Mar 17 10:54:14 2021 (r24381) +++ trunk/BOOK/introduction/welcome/changelog.xml Thu Mar 18 21:32:57 2021 (r24382) @@ -42,6 +42,16 @@ </listitem> --> <listitem> + <para>March 18th, 2021</para> + <itemizedlist> + <listitem> + <para>[ken] - Update to qtwebengine-5.15.3 from git (security fixes). + Fixes <ulink url="&blfs-ticket-root;14729">#14729</ulink>.</para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> <para>March 17th, 2021</para> <itemizedlist> <listitem> Modified: trunk/BOOK/packages.ent ============================================================================== --- trunk/BOOK/packages.ent Wed Mar 17 10:54:14 2021 (r24381) +++ trunk/BOOK/packages.ent Thu Mar 18 21:32:57 2021 (r24382) @@ -756,7 +756,7 @@ <!ENTITY pango-version "1.48.3"> <!ENTITY pangomm-version "2.46.0"> <!ENTITY qt5-version "5.15.2"> -<!ENTITY qtwebengine-version "5.15.2"> +<!ENTITY qtwebengine-version "5.15.3"> <!ENTITY qtwebkit-version "5.9.0"> <!ENTITY qscintilla-version "2.10.4"> <!ENTITY shared-mime-info-version "2.1"> Modified: trunk/BOOK/x/lib/qtwebengine.xml ============================================================================== --- trunk/BOOK/x/lib/qtwebengine.xml Wed Mar 17 10:54:14 2021 (r24381) +++ trunk/BOOK/x/lib/qtwebengine.xml Thu Mar 18 21:32:57 2021 (r24382) @@ -5,12 +5,15 @@ %general-entities; <!ENTITY qtwebengine-major "5.15"> +<!-- URL if there is a public release <!ENTITY qtwebengine-download-http "https://download.qt.io/archive/qt/&qtwebengine-major;/&qtwebengine-version;/submodules/qtwebengine-everywhere-src-&qtwebengine-version;.tar.xz"> + URL for a prepared git version --> + <!ENTITY qtwebengine-download-http "&sources-anduin-http;/qtwebengine/qtwebengine-&qtwebengine-version;.tar.xz"> <!ENTITY qtwebengine-download-ftp " "> - <!ENTITY qtwebengine-md5sum "c88cbe3158feb20c4feb3d54262feb23"> - <!ENTITY qtwebengine-size "267 MB"> - <!ENTITY qtwebengine-buildsize "4.4 GB (145 MB installed)"> - <!ENTITY qtwebengine-time "64 SBU (Using parallelism=4)"> + <!ENTITY qtwebengine-md5sum "838d5d4ef9d1e5b82a41bff6f830e4a4"> + <!ENTITY qtwebengine-size "306 MB"> + <!ENTITY qtwebengine-buildsize "4.4 GB (154 MB installed)"> + <!ENTITY qtwebengine-time "64 SBU (Using parallelism=4)"> ]> <sect1 id="qtwebengine" xreflabel="qtwebengine-&qtwebengine-version;"> @@ -39,20 +42,70 @@ <application>chromium</application> developers. </para> - <caution> + <!-- Note for editors re switching between git versions and releases: + If a public release of Qt 5.15.3 (or later) appears in a meaningful + time frame, please keep the notes re the git build, as comments, so + that updating for later fixes will be easier: in the past, updates + of 'stable' versions (i.e. 5.12 when 5.14, 5.15 were the newest) + happened much later than updates to the newest version (now Qt6) + and it seems likely we might again need to use a git version to fix + future chromium vulnerabilities. --> + + <warning> <para> QtWebEngine uses a forked copy of chromium, and is therefore vulnerable to many issues found there. The Qt developers have always preferred to make releases at the same time as the rest of Qt (rather than adding - emergency fixes). Now that they are keen to move to Qt6, the 5.15.3 and - later Qt-5.15 releases are initially only available to paying customers. - QtWebEngine is something of an exception because of its LGPL licence, - but the source in git and its forked submodules is not neatly packaged. - Until someone is able to build this on BLFS, using this package and - browsers which use it leaves you open you to unpatched security - vulnerabilities. + emergency fixes), but with stable versions getting released after the + current development version. Now that they are keen to move to Qt6, the + 5.15.3 and later Qt-5.15 releases are initially only available to paying + customers. QtWebEngine is something of an exception because of its LGPL + licence, but getting the git sources (with the forked chromium submodule) + to a position where they will successfully build on a current BLFS system + can take a lot of effort and therefore updates to the book may be delayed. + </para> + + <para> + It seems likely that future 5.15-series versions will also be released + long after the chromium vulnerabilities are known. </para> - </caution> + + <para> <!-- for git versions --> + The tarball linked to above was created from the 5.15 git branch + at https://code.qt.io/cgit/qt/qtwebengine.git commit 029771bcd254 + just before the version there was rolled on for 5.15.4, + <!-- the DTS doesn't let me put a url in a para --> + <!--ulink url="https://code.qt.io/cgit/qt/qtwebengine.git/commit/?h=5.15&id=029771bcd254"/>code.qt.io/cgit/qt/qtwebengine.git</ulink>--> + with the chromium submodule using the 87-branch at revision 7c8217b36a95. + </para> + </warning> + + <!-- note for editors on obtaining webengine from git. + First (if you do not already have a past version) + git clone git://code.qt.io/qt/qtwebengine.git + git submodule init - + that will report qtwebengine-chromium.git registered for src/3rdparty + now find the main branch names: + git fetch origin + git branch -r + after a release is prepared (even if the rest is not public), the 5.15 + branch is probably what you want + git checkout origin/5.15 + Confirm that HEAD is where you expected. + Now go to src/3rdparty + git fetch origin + git branch -r + The required branch is likely to be 87-branch unless there is a newer one + git checkout origin/87-branch (or whatever) + Use git log or git tk to look at its HEAD and check it seems appropriate. + + Now create tarballs - 'git archive' does not work across submodule boundaries, + so you need to create one archive from the top of qtwebengine/ and another + from the top of src/3rdparty (chromium, gn, ninja are apparently all part of + the qtwebengine-chromium module). Then in a work area untar the qtwebengine + tarball, go down to src/3rdparty and untar the submodule tarball. + Decide on what to call the result and create a full xz tarball using tar -cJf. + --> &lfs101_checked; @@ -115,13 +168,10 @@ <listitem> <para> Required patch: + <!-- keep links for releases and git versions as a reminder + that the tarball names names differ --> <ulink url="&patch-root;/qtwebengine-everywhere-src-&qtwebengine-version;-ICU68-2.patch"/> - </para> - </listitem> - <listitem> - <para> - Required patch: - <ulink url="&patch-root;/qtwebengine-everywhere-src-&qtwebengine-version;-glibc233-1.patch"/> + <ulink url="&patch-root;/qtwebengine-&qtwebengine-version;-build_fixes-1.patch"/> </para> </listitem> </itemizedlist> @@ -131,6 +181,7 @@ <bridgehead renderas="sect4">Required</bridgehead> <!-- the qmake output tends to be misleading. 'khr' is from Mesa --> <para role="required"> + <xref linkend="node"/>, <xref linkend="nss"/>, <xref linkend="python2"/>, and <xref linkend='qt5'/> @@ -172,25 +223,60 @@ <sect2 role="installation"> <title>Installation of qtwebengine</title> + <note> + <para> + Unlike version 5.15.2, the chromium-derived build system now needs + <command>python</command> to be available and to be python2. In + BLFS-10.1 the creation of the python symlink was removed as a step + towards eventually getting rid of python2 (other old packages which + need python2 usually work by invoking python2). If you are still + using an earlier version of BLFS where + <filename>/usr/bin/python</filename> exists, you can skip the + commands to create the symlink, and to later remove it. + </para> + </note> + <para> - First, ensure that the local headers are available when not building as - part of the complete <xref linkend="qt5"/>: + First, as the <systemitem class="username">root</systemitem> + user, create the python symlink: </para> -<screen><userinput>find -type f -name "*.pr[io]" | - xargs sed -i -e 's|INCLUDEPATH += |&$$QTWEBENGINE_ROOT/include |'</userinput></screen> +<screen role="root"><userinput>ln -svf /usr/bin/python{2,}</userinput></screen> + + <para> + Now apply a patch to fix several issues that can prevent the build working: + </para> + +<screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-&qtwebengine-version;-build_fixes-1.patch</userinput></screen> + +<!-- start of commands for git versions only --> + <para> + Although the patch has ensured that git is not invoked during the build, + the build system has labyrinthine rules of byzantine complexity, and in + particular trying to build without two <filename>.git</filename> directories + will lead to it eventually falling into unexpected and unbuildable code + which references a private header that has not been created. Avoid this + by creating the required directories: + </para> + +<screen><userinput>mkdir -pv .git src/3rdparty/chromium/.git</userinput></screen> <para> - Next, apply a patch that fixes the build with system ICU version 68.1. + Because this version of qtwebengine is aimed at a later release than the + current public releases, change it to build for qt-&qt5-version; using a + sed: </para> -<screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-everywhere-src-&qtwebengine-version;-ICU68-2.patch</userinput></screen> +<screen><userinput>sed -e '/^MODULE_VERSION/s/5.*/&qt5-version;/' -i .qmake.conf</userinput></screen> +<!-- end of commands for git versions only --> <para> - Now apply a patch to fix an issue introduced by glibc-2.33. + Now, ensure that the local headers are available when not building as + part of the complete <xref linkend="qt5"/>: </para> -<screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-everywhere-src-&qtwebengine-version;-glibc233-1.patch</userinput></screen> +<screen><userinput>find -type f -name "*.pr[io]" | + xargs sed -i -e 's|INCLUDEPATH += |&$$QTWEBENGINE_ROOT/include |'</userinput></screen> <para> Next, allow the pulseaudio library to be linked at build time, instead @@ -251,6 +337,7 @@ </para> <screen role="root"><userinput>make install</userinput></screen> + <!-- EDITORS NOTE: If you are updating this package, use INSTALL_ROOT= instead of DESTDIR= --> <!-- @@ -268,6 +355,13 @@ <screen role="root"><userinput>find $QT5DIR/ -name \*.prl \ -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;</userinput></screen> + + <para> + Finally, as the <systemitem class="username">root</systemitem> + user, remove the python symlink: + </para> + +<screen role="root"><userinput>rm -v /usr/bin/python</userinput></screen> </sect2> <sect2 role="commands"> @@ -299,7 +393,7 @@ recognize the NINJAJOBS environment variable, this command will run system ninja with the specified number of jobs (i.e. 4). There are several reasons why you might want to do this: - </para> + </para> <itemizedlist> <listitem> @@ -348,10 +442,46 @@ few times for each affected tab. </para> + <para> + If a browser using this package fails to run and when run + from a term it reports 'Trace/breakpoint trap' that is + probably a kernel configuration issue - there is no need + to rebuild QtWebEngine, see the next section, recompile + the kernel and reboot to the new kernel. + </para> + </sect3> </sect2> + <sect2 role="kernel" id="qtwebengine-kernel"> + <title>Kernel Configuration</title> + + <para> + Enable the following options in the kernel configuration and recompile the + kernel if necessary: + </para> + +<!-- Spaces are significant in <screen> sections --> +<screen><literal>General setup ---> + -*- Namespaces support ---> + [*] UTS namespace [CONFIG_UTS_NS] + [*] TIME namespace [CONFIG_TIME_NS] + [*] IPC namespace [CONFIG_IPC_NS] + [ ] User namespace #CONFIG_USER_NS is not set + [*] PID namespace [CONFIG_PID_NS] + [*] Network namespace [CONFIG_NET_NS]</literal></screen> + + <para> + These are now the default options. Do <emphasis>NOT</emphasis> enable + User namespace (CONFIG_USER_NS), it <emphasis>will</emphasis> cause + libQtWebengineCore to crash. + </para> + + <indexterm zone="qtwebengine qtwebengine-kernel"> + <primary sortas="d-qtwebengine">qtwebengine</primary> + </indexterm> + </sect2> <sect2 role="content"> <title>Contents</title> Modified: trunk/BOOK/xsoft/graphweb/falkon.xml ============================================================================== --- trunk/BOOK/xsoft/graphweb/falkon.xml Wed Mar 17 10:54:14 2021 (r24381) +++ trunk/BOOK/xsoft/graphweb/falkon.xml Thu Mar 18 21:32:57 2021 (r24382) @@ -41,19 +41,21 @@ functionality). </para> - <caution> + <warning> <para> - Falkon re;lies on QtWebEngine. That uses a forked copy of chromium, and + Falkon relies on QtWebEngine. That uses a forked copy of chromium, and is therefore vulnerable to many issues found there. The Qt developers have always preferred to make releases at the same time as the rest of Qt (rather than adding emergency fixes). Now that they are keen to move to Qt6, the 5.15.3 and later Qt-5.15 releases are initially only available to paying customers. QtWebEngine is something of an exception because of - its LGPL licence, but the source in git and its forked submodules is not - neatly packaged. Until someone is able to build this on BLFS, using - falkon leaves you open you to unpatched security vulnerabilities. + its LGPL licence, but getting the git sources (with the forked chromium + submodule) to a point where they will successfully build on a current + BLFS system can take a lot of effort. Be aware that future fixes for + vulnerabilities might be very delayed, to the extent that you might wish + to consider using a different browser. </para> - </caution> + </warning> &lfs101_checked; -- http://lists.linuxfromscratch.org/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page