[Interest] Chromium build failure, SSL and Qt 5.6.3 vs 5.6.0,

Allan Sandfeld Jensen kde at carewolf.com
Tue Jul 31 13:45:13 CEST 2018


On Dienstag, 31. Juli 2018 13:32:38 CEST Christian Gagneraud wrote:
> On 31 July 2018 at 21:43, Allan Sandfeld Jensen <kde at carewolf.com> wrote:
> > On Sonntag, 29. Juli 2018 22:58:41 CEST Christian Gagneraud wrote:
> >> Hi,
> >> 
> >> We used to build Qt-5.6.3 on and for Linux-i386.
> >> I recently had to downgrade to Qt-5.6.0 (see below), but now the build
> >> fails with:
> >> 
> >> qtwebengine/src/3rdparty/chromium/net/third_party/nss/ssl/ssl3con.c:
> >> In function 'ssl3_ChaCha20Poly1305':
> >> qtwebengine/src/3rdparty/chromium/net/third_party/nss/ssl/ssl3con.c:2118:
> >> 15: error: 'CK_NSS_AEAD_PARAMS {aka struct CK_NSS_AEAD_PARAMS}' has no
> >> member named 'pIv'
> >> 
> >>      aeadParams.pIv = (unsigned char *) additionalData;
> >>      
> >>                ^
> >> 
> >> qtwebengine/src/3rdparty/chromium/net/third_party/nss/ssl/ssl3con.c:2119:
> >> 15: error: 'CK_NSS_AEAD_PARAMS {aka struct CK_NSS_AEAD_PARAMS}' has no
> >> member named 'ulIvLen'
> >> 
> >>      aeadParams.ulIvLen = 8;
> >>      
> >>                ^
> >> 
> >> Are there any special requirements,or actually is there a difference
> >> in the requirements, to build Qt5.6.0 vs Qt-5.6.3?
> > 
> > Yes. It is most likely NSS, it could in 5.6.0 be used for both encryption
> > and certicate checking but in 5.6.3 is only used for certificate
> > checking. You can try using NSS 3.21, but note it will report most Google
> > certificates as broken. You can also try removing libnss-dev in which
> > case OpenSSL will be used for both, but that also means most Google
> > certicates are reported as broken (because they objectively are signed by
> > a too weak root).
> 
> Thanks for all the details, greatly appreciated. I'll have to dig that
> further, will report.
> 
> > See https://codereview.qt-project.org/#/c/153890/ perhaps you can cherry
> > pick it, though it might not be easy QtWebEngine also upgraded from
> > Chromium 45 to 49 in the 5.6 series.
> 
> What can I say other than:
> Should this (Chromium 45 -> 49) be part of "patch" release?

The question was: Do you want security fixes or not? The reason it was done is 
because we have upped our game on security fixes in webengine.

Note 5.6.2 was the first and so far only time we have done this in a patch 
release, and I don't think it was worth the trouble. Since then I have 
prefered to recommend people using a more modern qtwebenigne with older 
qtbase. Note for instance, you can use up to QtWebEngine 5.9.x with the rest 
of Qt being 5.6. In fact if you use QtWebEngine on potentially hostile 
content, I would strongly recommend it as Qt 5.6.x is not updated as 
regularly.

In fact using a newer QtWebEngine even if just the last one from 5.6.x with 
qtdeclarive being 5.6.0, might solve your problems.

> To the point that now the "Qt Maintenance Tool" offers you to install
> different patch release, like nobody trust they are actually
> equivalent and ABI backward compatible as they used to be...

I don't think that is fair. I know there has been a few mistakes, but they 
have usually been corner cases. When every other C++ project broke ABI due to 
C++11 Qt was able to maintain it due to how serious we have always taken it. 
But yes, you should always check if things still work when upgrading.

Best Regards
'Allan





More information about the Interest mailing list