[Development] How is Quick Controls 2 deployment meant to be ?

Massimo Callegari massimocallegari at yahoo.it
Sat Jul 8 13:24:56 CEST 2017 

Hello Qt devs,

the Quick Controls 2 initiative is great, but I'm struggling to understand how deployment is meant to be done.

So for "fun" I did an experiment on Windows (but this is the same also on other platforms):
- open Qt Creator
- create a new Quick Controls 2 default template (1 text field, 1 button, 1 swipeview)
- select "Default" as the only style
- build and deploy with windeployqt

For a 21Kb executable, you'll get a marvellous 61MB bundle, with a total of 235 files in it.

Now, I see two major issues here:

1) *deployqt is basically a useless tool. It doesn't consider the real dependencies needed and copy everything every time.
In the bundle I found the network bearer plugins, when the application clearly doesn't use any QtNetwork feature.
Same for iconengines and imageformats plugins.
In QtQuick/Controls.2 I found Material and Universal styles (106 files total) when I clearly told Qt Creator I didn't want them.
In the same folder there are 56 files, when the app probably requires less than 10.

2) Security ? There is none.
If you deploy an application using a TextField control with echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow display/log a password.
In general, an end user can seriously mess up an application by changing a few text files.
I'm also wondering how Linux distributions can accept this. In my KDE Neon distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I can edit and compromise my system.

Now, I'm stuck in deciding what to do with all the above. Manually building a list of QML files needed is a nightmare. Using *deployqt and then removing the files not needed is a nightmare as well.

In my opinion the optimal solution would be to have an inspection tool that identifies the exact files needed by an application that outputs a QRC file that can be easily added to the application .pro file. A sort of pre-building step.
No idea how this copes with the recent QML caching system and what is more efficient between qmlc files and QRC-bundled QMLs.

I am open to ideas and comments. Maybe I'm really missing something obvious that I couldn't find in the online documentation.

Cheers,
Massimo

More information about the Development mailing list