[Interest] Qt5.15 from source on centOS 7
Thiago Macieira
thiago.macieira at intel.com
Mon Jun 20 00:06:32 CEST 2022
On Sunday, 19 June 2022 14:29:33 PDT Chris Benesch wrote:
> Build OpenSSL 3 and add its install directory lib/pkgconfig to
> PKG_CONFIG_PATH and choose -openssl-linked as one of the config
> parameters. If you can get through configure, it should build.
OpenSSL 3 isn't supported in 5.15.
Use the very latest release from 1.1, but no older and no newer.
Then there's the question of whether you want to ship OpenSSL libraries with
your product. If you do, then you must also keep an eye to OpenSSL security
advisories and make proper and timely updates to your release. Be prepared to
make new builds and release to customers once per month. If you can't sustain
this rate, then don't ship OpenSSL.
You don't have to do it: the default build doesn't link to OpenSSL, but
instead tries to find it at runtime and dlopens() it. That places the burden of
providing OpenSSL and keeping it up to date on your user, not you. If they
choose to be vulnerable by choice or by ignorance, it's not your fault.
If you choose this route, make sure your application works properly when
OpenSSL 1.1 is missing. By "properly", I mean "doesn't crash left and right".
Please make sure that it is not silently falling back to unencrypted
connections where encrypted were required. If your application requires
encrypted connections to work at all, then display a dialog with a link to
documentation on how to install OpenSSL.
PS: OpenSSL is the most visible and most important library when it comes to
patching security vulnerabilities, but is not the only one. You should do the
same for ALL libraries you ship with your application, and that includes ALL
the libraries that are bundled inside Qt's source. For example, the just-
released Qt 5.15.5-LTS includes a vulnerable version of zlib, so you should
patch it.
Better yet, don't use bundled libraries.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Cloud Software Architect - Intel DCAI Cloud Engineering
More information about the Interest
mailing list