[Development] [Announce] Security advisory: Freetype in Qt
Albert Astals Cid
aacid at kde.org
Fri Aug 19 16:28:33 CEST 2022
El divendres, 19 d’agost de 2022, a les 11:35:51 (CEST), Volker Hilsheimer va escriure:
> Back from holidays, following up on the open points from this thread after
> discussing within The Qt Company:
>
> [snip]
>
> The agreement with KDE is that the exact version of Qt that was released as
> commercial LTS is made available as a source-only package, with one year
> delay.
Calling it "an agreement" is a mischaracterization as if KDE thought that was good idea.
We think it's a terrible idea that has undoubtedly worsened the reputation of Qt both between its users and its developers (as we predicted) and I sincerely doubt you sold enough licenses to recoup all the development work TQC had to do to create all those private branches you use, if at all i would expect a loss in licenses since projects started moving away from Qt to other libraries that don't punish their users.
The Qt Company is only doing those releases 12 month later releases because it is the bare minimum mandated by the KDE Free Qt Foundation contract.
> So, the Qt 5.15.6 source package in September will be exactly what
> customers got as Qt 5.15.6, including a bundled freetype with
> vulnerabilities.
It makes me super sad that the Qt Project maintainer can say that the latest available version of one of its products (Qt5) has a known exploitable vulnerability and pretend all is good.
Even worse when those patches to fix that vulneravility exist and would cost 5 minutes for you to put online, but still refuse to provide them to punish us for using your product.
In case you don't understand what i am speaking about, i mean the Qt 5.15 patch corresponding to
https://code.qt.io/cgit/qt/qtbase.git/commit/src/3rdparty/freetype?id=cfa631e0fb5d78aac80cb580eb092fafa1cd9a8f
which you didn't mark as Pick-to: 5.15 but from reading the CVE-2022-27404-27405-27406-qtbase-5.15.diff patch it's clear you did.
> This might make little sense, but it makes little sense to make a 5.15.6
> that is different either, or a 5.15.6.2 with some patches applied.
Nobody is asking you to release a 5.15.6.2 version, we are just asking you to provide a security patch that applies.
> People
> can clone 5.15.6 from git, and people download and build software against
> old versions of Qt all day long, accepting that security patches or
> critical fixes might be missing.
Ah yes, the "everyone jumped from the bridge so i did too" excuse...
Also please do not conflate security patches together with critical fixes.
There's very little room for "critical fixes" that can be applied to Qt 5.15 it's been released for years, used in lots of places for lots of people and generally "it works", people generally can live without "those fixes".
Security issues on the other side are corner case scenarios and usually mean some very nefarious things can happen, so yes people need them.
> Since the LGPL source package of Qt 5.15.6 need to be configured and built
> explicitly anyway, follow Thiago’s recommendation to use system libraries
> whenever possible.
And when not possible, you will get exploited :)
INSERT DOG IN HOUSE ON FIRE MEME
Albert
>
> Volker
>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
More information about the Development
mailing list