[Development] How is Quick Controls 2 deployment meant to be ?

Massimo Callegari massimocallegari at yahoo.it
Sat Jul 8 15:33:54 CEST 2017 

> * I think that Universal and material styles are bundled because the user can change the current style used from the command line

I know that, but it should be up to the developer to pick what goes in the bundle, not a tool.

In my case, I use Quick Controls 2 just as templates and I override what I need to create my custom look & feel. So I don't need any style at all.

> * For the QtNetwork stuff you need to keep in mind that a lost of stuff works with URLs. For example you can specify and "http://.." url for an Image source. If i'm not wrong this implies that QtNetwork is a strong dependency of QtQuick.

I am aware of this as well, but the basic Quick Controls 2 template created by Qt Creator doesn't make any use of network URLs. In other words, *deployqt should analyze the code in deep to find whether a component is really needed or not. In case, again, the developer might adjust the final dependencies if they really need to.

> * Security is a big topic, but for files you use the filesystem user/group permissions

As far as I know, there's no such thing in Windows when you install an application at user level. I use NSIS to provide a self-installing bundle and I'm not even sure if I can configure it to restrict to the system administrator the access of just some files. In any case, home PC Windows users are normally system administrators too.
Same story for Linux.
If I'm not mistaken, even in a macOS bundle you can edit files without root privileges.

In every case though, QML files can at least be read, and believe me when I say I've got users that are capable of telling me "why don't you change Button.qml padding from 6 to 10 ?". Or even worse, they change stuff, and then come up with ridiculous issues and I need to waste my (limited) time to find out what's going on.
To be honest I don't want them to peek their noses in the code, unless they are developers who know what they're saying.
Mine is an open source application, but the less they can change, the less they are tempted to become developers in one day...

________________________________
Da: Filippo Cucchetto <filippocucchetto at gmail.com>
A: Massimo Callegari <massimocallegari at yahoo.it> 
Cc: Qt Development ML <development at qt-project.org>
Inviato: Sabato 8 Luglio 2017 14:30
Oggetto: Re: [Development] How is Quick Controls 2 deployment meant to be ?



* I think that Universal and material styles are bundled because the user can change the current style used from the command line
* For the QtNetwork stuff you need to keep in mind that a lost of stuff works with URLs. For example you can specify and "http://.." url for an Image source. If i'm not wrong this implies that QtNetwork is a strong dependency of QtQuick.
* Security is a big topic, but for files you use the filesystem user/group permissions




2017-07-08 13:24 GMT+02:00 Massimo Callegari via Development <development at qt-project.org>:

Hello Qt devs,
>
>the Quick Controls 2 initiative is great, but I'm struggling to understand how deployment is meant to be done.
>
>So for "fun" I did an experiment on Windows (but this is the same also on other platforms):
>- open Qt Creator
>- create a new Quick Controls 2 default template (1 text field, 1 button, 1 swipeview)
>- select "Default" as the only style
>- build and deploy with windeployqt
>
>For a 21Kb executable, you'll get a marvellous 61MB bundle, with a total of 235 files in it.
>
>Now, I see two major issues here:
>
>1) *deployqt is basically a useless tool. It doesn't consider the real dependencies needed and copy everything every time.
>In the bundle I found the network bearer plugins, when the application clearly doesn't use any QtNetwork feature.
>Same for iconengines and imageformats plugins.
>In QtQuick/Controls.2 I found Material and Universal styles (106 files total) when I clearly told Qt Creator I didn't want them.
>In the same folder there are 56 files, when the app probably requires less than 10.
>
>2) Security ? There is none.
>If you deploy an application using a TextField control with echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the comfortably reachable QtQuick/Controls.2/TextField. qml file and somehow display/log a password.
>In general, an end user can seriously mess up an application by changing a few text files.
>I'm also wondering how Linux distributions can accept this. In my KDE Neon distro I've got /usr/lib/x86_64-linux-gnu/qt5/ qml/ full of QML files that I can edit and compromise my system.
>
>Now, I'm stuck in deciding what to do with all the above. Manually building a list of QML files needed is a nightmare. Using *deployqt and then removing the files not needed is a nightmare as well.
>
>In my opinion the optimal solution would be to have an inspection tool that identifies the exact files needed by an application that outputs a QRC file that can be easily added to the application .pro file. A sort of pre-building step.
>No idea how this copes with the recent QML caching system and what is more efficient between qmlc files and QRC-bundled QMLs.
>
>I am open to ideas and comments. Maybe I'm really missing something obvious that I couldn't find in the online documentation.
>
>Cheers,
>Massimo
>______________________________ _________________
>Development mailing list
>Development at qt-project.org
>http://lists.qt-project.org/ mailman/listinfo/development
>


-- 

Filippo Cucchetto

More information about the Development mailing list