[Development] [Announce] Security advisory: Freetype in Qt

Thiago Macieira thiago.macieira at intel.com
Sun Aug 21 22:44:46 CEST 2022

On Friday, 19 August 2022 14:30:08 -03 Ahmad Samir wrote:
> Going forward, don't ship/bundle 3rd party libs, instead add scripts (shell
> or CMake (the latter has support to fetch remote stuff
> https://cmake.org/cmake/help/latest/module/FetchContent.html)) that
> download that source code from git (at a specific commit hash) or as
> tarballs and unpack them ...etc. This approach means you would only need to
> change one line in a script and users will get the latest stable source
> code of a 3rd party lib the next time they build. "Does the next version of
> lib A build?" that's a question Linux distributions will usually have an
> answer for; and you will have an answer for it too if you use those same
> scripts to fetch those sources in your e.g. Windows CI.

That doesn't help with third-parties whose buildsystem is not CMake.

The proper solution is to build them onto your environment before you build 
Qt. Conan does that for you.

How viable would be a Conan solution that builds all Qt's dependencies and Qt 
too, for all the OSes we need it for?
- Windows
- Linux desktops
- macOS
- Apple embedded platforms
(which is all but Linux embedded systems; those can use Yocto Project recipes 

Thiago Macieira - thiago.macieira (AT) intel.com
  Cloud Software Architect - Intel DCAI Cloud Engineering

More information about the Development mailing list