Demi Marie Obenour wrote:
And is kept up to date, unlike QtWebEngine. QtWebEngine is
invariably
behind on security patches. I blame Google for not making embedded
Chromium a first-class citizen.
Qt backports security fixes to its stable branches, a service Google is not
offering by themselves. (Firefox, on the other hand, does support something
comparable, with Firefox ESR, but Fedora chooses not to ship that.) Of
course, backporting fixes takes time.
Even Qt 5 QtWebEngine (considered obsolete by Qt) still gets security fixes,
and they are published in git under the LGPL as soon as the commercial Qt
5.15.x LTS release is released. (In fact, they are pushed even earlier, as
soon as they are backported by Qt developers, and the branch is then tagged
when the commercial LTS is released. But the backports typically happen on
the Qt release schedule, meaning they are usually only done in git when a Qt
release is planned soon, not daily.)
Now, does that mean there is a delay between when the patch is released by
Google and when it is released by Qt? Yes, it does. But we have actually
been sitting longer on those security fixes in Fedora than Qt did, e.g.,
QtWebEngine 5.15.11 was never pushed, and 5.15.12 took 3+ weeks to get out
to Fedora users. At that point, Fedora had been sitting on the 5.15.11
security fixes for 3+ months, and missed the deadline for getting those out
to users of Fedora 35 before its EOL. So before complaining about the
delayed security fixes in Qt, we should focus on getting QtWebEngine
releases out to users much faster (and the updates should always be tagged
as "security", not "bugfix" or even "enhancement").
Kevin Kofler