[Development] Procedures for QUIP 4 (Third-Party Components in Qt)
Thiago Macieira
thiago.macieira at intel.com
Thu Oct 16 16:35:41 CEST 2025
On Thursday, 16 October 2025 01:48:31 Pacific Daylight Time Giuseppe D'Angelo
via Development wrote:
> Ideally, there should be a validation of all the 3rd party code shipped
> with Qt as part of the release process. However this doesn't look
> straighforward: we fetch libraries from many different repos, we have
> custom build scripts, we just copy a subset of the files, sometimes we
> patch them. So we can't just compare 3rdpart/foo/ with a fresh tarball
> of libfoo.
>
> So, before we go further, is this a real problem, and do we want to
> address it?
I think a simple few steps are a good idea, though implementation may be
difficult. Ideally we'd do a cryptographic check that the input is exactly what
it purports to be; a visual review of the upstream link will tell us that it
is a release in a known website and/or a tag in the upstream repository. One
thing to watch out for are "random commits" because in GitHub, they can be in
any fork instead of the one in the link.
The big issue that I can see is the how: unless we start importing the
tarballs themselves, cryptographic verification is difficult. Could the bot re-do
the steps as specified (download tarball or git checkout the tag,
cryptographically verify, then apply any pending patches) and verify that the
result is identical to the commit?
I have a script I use to do most of that for $DAYJOB. For example, for the
sqlite dependency, the input is:
version=3500400
sources='https://www.sqlite.org/2025/sqlite-autoconf-${version}.tar.gz'
checksum=sha256:a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18
and for the Intel ISA-L, which is a dependency that doesn't upload source
tarballs to the GitHub release assets, it checks the Git tree's[1] SHA-1:
version=2.31.1
git_url=https://github.com/intel/isa-l
checksum=gitsha1:7c92b61963c5f114588c45dcd0c22ca45e777a97
Then a different script applies all *.patch files (lexicographically sorted)
prior to building.
Updating a dependency for us is simply updating the "version" line and the
expected checksum.
[1] we use the git tree because this script runs without Internet access
during the container build process. With Internet access, I'd instead clone
the repository and check out / git archive a Git tag, which will be sufficient
verification.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Principal Engineer - Intel Data Center Group
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5150 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/development/attachments/20251016/bcc5774d/attachment.bin>
More information about the Development
mailing list