[Interest] Qt5.15 from source on centOS 7

[Thiago Macieira]

On Sunday, 19 June 2022 14:29:33 PDT Chris Benesch wrote:
> Build OpenSSL 3 and add its install directory lib/pkgconfig to
> PKG_CONFIG_PATH and choose -openssl-linked as one of the config
> parameters.  If you can get through configure, it should build.

OpenSSL 3 isn't supported in 5.15.

Use the very latest release from 1.1, but no older and no newer.

Then there's the question of whether you want to ship OpenSSL libraries with 
your product.  If you do, then you must also keep an eye to OpenSSL security 
advisories and make proper and timely updates to your release. Be prepared to 
make new builds and release to customers once per month. If you can't sustain 
this rate, then don't ship OpenSSL.

You don't have to do it: the default build doesn't link to OpenSSL, but 
instead tries to find it at runtime and dlopens() it. That places the burden of 
providing OpenSSL and keeping it up to date on your user, not you. If they 
choose to be vulnerable by choice or by ignorance, it's not your fault.

If you choose this route, make sure your application works properly when 
OpenSSL 1.1 is missing. By "properly", I mean "doesn't crash left and right". 
Please make sure that it is not silently falling back to unencrypted 
connections where encrypted were required. If your application requires 
encrypted connections to work at all, then display a dialog with a link to 
documentation on how to install OpenSSL.

PS: OpenSSL is the most visible and most important library when it comes to 
patching security vulnerabilities, but is not the only one. You should do the 
same for ALL libraries you ship with your application, and that includes ALL 
the libraries that are bundled inside Qt's source. For example, the just-
released Qt 5.15.5-LTS includes a vulnerable version of zlib, so you should 
patch it.

Better yet, don't use bundled libraries.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Cloud Software Architect - Intel DCAI Cloud Engineering