Re: [security] only latest Qt 5.14.1 has all fixes
Rex Dieter wrote: > Damian Ivanov wrote: > >>>Bumping Qt versions is... a fairly difficult process in fedora, >>>unfortunately. >> >> Introducing a new Qt version could be very simple I think: >> 1) Branch all Qt related packages (it should be with a one line >> command or using a web interface) >> 2) Edit package version number (with a per project (like Qt:5.14.1 >> project) macro - 1 digit changed/or two) >> 3) Wait for packages to be published into repo (and that repo contains >> all packages - without spec change - that use Qt priv headers). >> 4) Fix eventual build failures due to re based patches etc. >> 5) optional: Press push to start a request to get this merged into main >> repo. > > Building the core Qt packages is the easy part. We have that largely > scripted and semi-automated. > > The (much) harder part is coordinating rebuilds of all the other packages > that depend on private Qt5 api's (I wish there weren't so many). I suppose I could just make it easier on myself and just use rpmdev-bumpspec tool on dependencies too. Historically, I've tried to make an effort to keep branches merged, at least for those packages/maintainers that prefer to do it that way. -- rex ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Damian Ivanov wrote: >>Bumping Qt versions is... a fairly difficult process in fedora, >>unfortunately. > > Introducing a new Qt version could be very simple I think: > 1) Branch all Qt related packages (it should be with a one line > command or using a web interface) > 2) Edit package version number (with a per project (like Qt:5.14.1 > project) macro - 1 digit changed/or two) > 3) Wait for packages to be published into repo (and that repo contains > all packages - without spec change - that use Qt priv headers). > 4) Fix eventual build failures due to re based patches etc. > 5) optional: Press push to start a request to get this merged into main > repo. Building the core Qt packages is the easy part. We have that largely scripted and semi-automated. The (much) harder part is coordinating rebuilds of all the other packages that depend on private Qt5 api's (I wish there weren't so many). -- Rex ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Hello Rex, >So, we (kde-sign, Qt maintainers) generally update strategically where it >makes sense to warrant the time investment in doing so. I understand. Also that some people contribute it in their free time/or paid time (but not mandatory to contribute), which of course means a lot. I understand that packaging is a fairly time consuming task. Back in the days when I used openSUSE and OBS I built the Unity desktop environment and maintained it a release and a half IIRC (30+ packages where some require custom vendor patches), different from what the distribution (gnome, the patches) uses. Another contributor chenxialong packaged it at that time for Fedora on OBS from the same repository (because doing something more sophisticated than (cross) build a simple package is not possible using Fedora tools, but todays requirements are) so a lot of the packaging effort was shared. As (re)build takes some time it is nice to edit some things (spec files) from the web interface, on your phone from the gym or on another computer very easily possible in OBS. I think that something similar would attract people to contribute to the packaging in Fedora in general. >Bumping Qt versions is... a fairly difficult process in fedora, >unfortunately. I understand, but there are some things that concern me. I would like to use secure Qt (5.14) with all security critical fixes (and new functions) built for Fedora. As a User of Fedora I would like to contribute and others to contribute as a packager but I do not see tools that provide the minimum requirements to do so. (a Web Interface for spec file editing, multiple repos e.g for Qt). As a Linux enthusiast I am deeply concerned with a far better (and long term easier to maintain) technical solution being suppressed either by incapable management, "I just work there" mentality or people who prefer to spend hours of work they are used too instead of 5 minutes work that's new for them (reminds me of systemd somehow). >Bumping Qt versions is... a fairly difficult process in fedora, >unfortunately. Introducing a new Qt version could be very simple I think: 1) Branch all Qt related packages (it should be with a one line command or using a web interface) 2) Edit package version number (with a per project (like Qt:5.14.1 project) macro - 1 digit changed/or two) 3) Wait for packages to be published into repo (and that repo contains all packages - without spec change - that use Qt priv headers). 4) Fix eventual build failures due to re based patches etc. 5) optional: Press push to start a request to get this merged into main repo. >Bumping Qt versions is... a fairly difficult process in fedora, >unfortunately. Would a workflow similar to the one described allow speed up providing the newest Qt optionally in let's say qt5.14/x86_64/{rawhide, f32, f31. f30} but keeping the main repo unchanged if desired? Would you say that the current build system maybe needs improving or a rework to provide kde-sign, Qt maintainers and you you with a slightly less difficult process? Would you agree that having the possibility for users to choose a different Qt version from a different versioned repo may help testing and improve quality? Would you and the kde-sign, Qt maintainers say that the workflow described above maybe is exactly what is needed (OBS)? Br, Damian On Wed, Jan 29, 2020 at 6:32 PM Rex Dieter wrote: > > Damian Ivanov wrote: > > > But it's not the only CVE fixed with Qt 5.14.1 > > The point is that there is other software using Qt which doesn't start > > with K even though K works just fine with 5.14 by the experience of other > > distributions. > > Bumping Qt versions is... a fairly difficult process in fedora, > unfortunately. The primary reason is that there are many packages that use > Qt private api's the require rebuilding for every release. Quick check just > now in rawhide is that a full Qt5 version update requires (re)building at > least 78 packages. > > So, we (kde-sign, Qt maintainers) generally update strategically where it > makes sense to warrant the time investment in doing so. > > -- Rex > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Damian Ivanov wrote: > But it's not the only CVE fixed with Qt 5.14.1 > The point is that there is other software using Qt which doesn't start > with K even though K works just fine with 5.14 by the experience of other > distributions. Bumping Qt versions is... a fairly difficult process in fedora, unfortunately. The primary reason is that there are many packages that use Qt private api's the require rebuilding for every release. Quick check just now in rawhide is that a full Qt5 version update requires (re)building at least 78 packages. So, we (kde-sign, Qt maintainers) generally update strategically where it makes sense to warrant the time investment in doing so. -- Rex ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
But it's not the only CVE fixed with Qt 5.14.1 The point is that there is other software using Qt which doesn't start with K even though K works just fine with 5.14 by the experience of other distributions. Though all software is affected by security issues by using unpatched Qt. Affected by these new circumstances is not only @fedoraproject but as a bonus also rhel / centos unless RH is paying to Qt for the LTS or RH backports or provide latest Qt (at least very soon regarding the LTS) The best approach is probably to provide a repo with the latest Qt version for fedora, whoever wants to use their security free old tested version can do so and others can use the newest secure upstream Qt version. As a former user of openSUSE I gotta say that they have solved this very elegantly. Multiple repos for example for Qt are created easily. You can even bump version numbers or do simple changes to spec files from your phone or any other web capable host, a very welcoming build system, back than with OBS as openSUSE user I was maintaining more than a dozen of packages. I will be gathering a list of all the CVE's later that would need to be backported (to 5.12 and Qt 5.13) unless there is another solution, although I think crash fixes should be backported as well, as there is no option to use a good Qt version on Fedora, whereas other distributions do provide an option to use a secure Qt version, maybe a public comparison is needed. BR, Damian On Tue, 28 Jan 2020, 23:58 Rex Dieter, wrote: > Kevin Kofler wrote: > > > Rex Dieter wrote: > >> Latest CVE there has a backported fix applied to fedora's packaging, and > >> is currently in bodhi updates-testing, > >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469 > >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4 > > > > But that's only QtBase. QtWebEngine has dozens of security fixes again in > > 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds the > > fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only has > > security fixes up to Chrom* 77.) > > QtBase was the primary CVE mentioned in the original link. > > QtWebengine packaging is less restricted as far as updates and pretty sure > that wasn't the point of the original post. > > -- Rex > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Kevin Kofler wrote: > Rex Dieter wrote: >> Latest CVE there has a backported fix applied to fedora's packaging, and >> is currently in bodhi updates-testing, >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469 >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4 > > But that's only QtBase. QtWebEngine has dozens of security fixes again in > 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds the > fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only has > security fixes up to Chrom* 77.) QtBase was the primary CVE mentioned in the original link. QtWebengine packaging is less restricted as far as updates and pretty sure that wasn't the point of the original post. -- Rex ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Rex Dieter wrote: > Latest CVE there has a backported fix applied to fedora's packaging, and > is currently in bodhi updates-testing, > https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469 > https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4 But that's only QtBase. QtWebEngine has dozens of security fixes again in 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds the fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only has security fixes up to Chrom* 77.) Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Latest CVE there has a backported fix applied to fedora's packaging, and is currently in bodhi updates-testing, https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469 https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
This is more a request to ship secure versions of software in fedora and rhel that don't have open CVE's when fixed versions are available On Tue, 28 Jan 2020, 19:21 Artem Tim, wrote: > Request 768036 (accepted) > Qt 5.14.1 - untested, as usual > https://build.opensuse.org/request/show/768036 > > That is all we need to know about how packages updating in openSUSE or > something else? > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: [security] only latest Qt 5.14.1 has all fixes
Request 768036 (accepted) Qt 5.14.1 - untested, as usual https://build.opensuse.org/request/show/768036 That is all we need to know about how packages updating in openSUSE or something else? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
[security] only latest Qt 5.14.1 has all fixes
As mentioned in: https://www.qt.io/blog/qt-5.14.1-released https://www.qt.io/blog/qt-offering-changes-2020 Qt 5.14.1 seems to be the only available Qt version that contains various security fixes for CVE's, after Qt's recent switch of patch handling (for open source only the latest version receives fixes but distributions can backport), just mentioning the most popular one: CVE-2020-0570 and there are a bunch of others. With latest version in Rawhide being 5.13 I ask how is Fedora affected by these CVE's? When will the Fedora Qt maintainers provide a packages without known security issues if thus affected? Distributions like arch and gentoo have already made the switch to latest. openSUSE build service which allows you to edit spec files even from your phone has it for several months now https://build.opensuse.org/project/show/KDE:Qt:5.14 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org