[Development] Qt PDF as a new TP module for Qt 5.14

[Thiago Macieira]

On Tuesday, 13 August 2019 22:40:29 PDT Allan Sandfeld Jensen wrote:
> On Wednesday, 14 August 2019 07:09:33 CEST Thiago Macieira wrote:
> > On Tuesday, 13 August 2019 16:04:38 PDT Allan Sandfeld Jensen wrote:
> > > That is exactly the same Chromium does. Except we already put the work
> > > into
> > > backporting the fixes.
> > 
> > ALL of them? How quickly?
> > 
> > Please make sure that either you're releasing within two weeks of *every*
> > CVE or that I can use an unbundled copy of the source. Failing that, I
> > cannot add qtpdf to Clear Linux.
> 
> So you have higher requirement for PDF viewer than you do for browsers?

No, it's the same: every High or Critical CVE fixed within two weeks of a fix 
being available. Regardless of whether the software in question made a release 
or not.

qtwebengine is its own headache because we can't use the release tarballs from 
qt.io. We need to wait for Fedora to clean up the not-totally-free content 
inside[*] and publish sources. So for that one, our policy became "whatever 
Fedora has is good enough". But I will not add a new package like that.

Chrome and Firefox are also installed in such a way that Google and Mozilla 
are responsible for updates. We don't currently have Chromium.

> But yes all of them, but we are tied by how fast Qt releases. We do make
> sure to fix the security issues before the details are made public, which
> is 14 weeks after a Chrome version has been released with the fixed.

If qtpdf uses chromium sources, it will not be added to the distro. You'll be 
marrying one of the worst offenders in terms of CVEs published (PDF engines) 
to the worst offender. I'll simply not take the chance, until at least my hand 
is forced by there being a lot of open source software trying to use it.

If it uses the already-compiled qtwebengine, then there may be a way.

[*] ffmpeg

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products