[Interest] Qt WebEngine 5.15.3 tag

[Florian Bruhin]

On Tue, Mar 09, 2021 at 10:41:51AM +0100, Benjamin TERRIER wrote:
> I would not mind if it was just a matter of tag, but the fact that the
> change file for 5.15.3 (changes-5.15.3) is not present on the 5.15.3 branch
> in the public repo does not help making this branch trustworthy.

That's no accident FWIW, see the discussions here:
https://codereview.qt-project.org/c/qt/qtwebengine/+/335435
https://codereview.qt-project.org/c/qt/qtwebengine/+/337355

Here's the changes file before the change adding it was abandoned:
https://codereview.qt-project.org/c/qt/qtwebengine/+/335435/6/dist/changes-5.15.3

It's... bizarre. Even more so for a highly security-relevant piece of Qt
(and a release which fixes 29 CVEs plus 9+ other security bugs).

You'd think that The Qt Company would have an interest in keeping their
users secure, paying or not. Perhaps someone should take the time to go
through those CVEs and make sure that Qt is marked as a known affected
product with no public fix released ;)

Excuse the snark - I fully respect that TQtC needs to pay its employees
after all, but honestly, this is negligent even from a business
perspective. I don't care much about this change for qtbase or anything
else (where security bugs aren't that prevalent, and where projects can
migrate to Qt 6), but for QtWebEngine with no upgrade path available as
of now, this is a horrible idea no matter how you look at it.

Florian

-- 
            me at the-compiler.org | https://www.qutebrowser.org 
       https://bruhin.software/ | https://github.com/sponsors/The-Compiler/
       GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
             I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20210309/57b03fdc/attachment.sig>