Changeset 4eb513e


Ignore:
Timestamp:
03/19/2021 04:32:57 AM (6 months ago)
Author:
Ken Moffat <ken@…>
Branches:
11.0, qt5new, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
94f5f13
Parents:
64b8189
Message:

Update qtwebengine to 5.15.3 from git.

This is a lot bigger and slower to build.

Downgrade the 'Caution's in qtwebengien and falkon to 'Warning's.
I am not yet suggesting we should deprecate those two packages,
but users should start to ask themselves whether the want to use
a package where the upstreams are happy to stick with python2
and have no interest in running on current glibc.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24382 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • general.ent

    r64b8189 r4eb513e  
    11<!-- $LastChangedBy$ $Date$ -->
    22
    3 <!ENTITY day          "17">                   <!-- Always 2 digits -->
     3<!ENTITY day          "18">                   <!-- Always 2 digits -->
    44<!ENTITY month        "03">                   <!-- Always 2 digits -->
    55<!ENTITY year         "2021">
     
    77<!ENTITY copyholder   "The BLFS Development Team">
    88<!ENTITY version      "&year;-&month;-&day;">
    9 <!ENTITY releasedate  "March 17th, &year;">
     9<!ENTITY releasedate  "March 18th, &year;">
    1010<!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
    1111<!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
  • introduction/welcome/changelog.xml

    r64b8189 r4eb513e  
    4343    -->
    4444    <listitem>
     45      <para>March 18th, 2021</para>
     46      <itemizedlist>
     47        <listitem>
     48          <para>[ken] - Update to qtwebengine-5.15.3 from git (security fixes).
     49          Fixes <ulink url="&blfs-ticket-root;14729">#14729</ulink>.</para>
     50        </listitem>
     51      </itemizedlist>
     52    </listitem>
     53
     54    <listitem>
    4555      <para>March 17th, 2021</para>
    4656      <itemizedlist>
  • packages.ent

    r64b8189 r4eb513e  
    757757<!ENTITY pangomm-version              "2.46.0">
    758758<!ENTITY qt5-version                  "5.15.2">
    759 <!ENTITY qtwebengine-version          "5.15.2">
     759<!ENTITY qtwebengine-version          "5.15.3">
    760760<!ENTITY qtwebkit-version             "5.9.0">
    761761<!ENTITY qscintilla-version           "2.10.4">
  • x/lib/qtwebengine.xml

    r64b8189 r4eb513e  
    66
    77  <!ENTITY qtwebengine-major "5.15">
     8<!-- URL if there is a public release
    89  <!ENTITY qtwebengine-download-http "https://download.qt.io/archive/qt/&qtwebengine-major;/&qtwebengine-version;/submodules/qtwebengine-everywhere-src-&qtwebengine-version;.tar.xz">
     10     URL for a prepared git version -->
     11  <!ENTITY qtwebengine-download-http "&sources-anduin-http;/qtwebengine/qtwebengine-&qtwebengine-version;.tar.xz">
    912  <!ENTITY qtwebengine-download-ftp  " ">
    10   <!ENTITY qtwebengine-md5sum        "c88cbe3158feb20c4feb3d54262feb23">
    11   <!ENTITY qtwebengine-size          "267 MB">
    12   <!ENTITY qtwebengine-buildsize     "4.4 GB (145 MB installed)">
    13   <!ENTITY qtwebengine-time          "64 SBU (Using parallelism=4)">
     13  <!ENTITY qtwebengine-md5sum        "838d5d4ef9d1e5b82a41bff6f830e4a4">
     14  <!ENTITY qtwebengine-size          "306 MB">
     15  <!ENTITY qtwebengine-buildsize     "4.4 GB (154 MB installed)">               
     16  <!ENTITY qtwebengine-time          "64 SBU (Using parallelism=4)">           
    1417]>
    1518
     
    4043    </para>
    4144
    42     <caution>
     45    <!-- Note for editors re switching between git versions and releases:
     46      If a public release of Qt 5.15.3 (or later) appears in a meaningful
     47      time frame, please keep the notes re the git build, as comments, so
     48      that updating for later fixes will be easier: in the past, updates
     49      of 'stable' versions (i.e. 5.12 when 5.14, 5.15 were the newest)
     50      happened much later than updates to the newest version (now Qt6)
     51      and it seems likely we might again need to use a git version to fix
     52      future chromium vulnerabilities. -->
     53
     54    <warning>
    4355      <para>
    4456        QtWebEngine uses a forked copy of chromium, and is therefore vulnerable
    4557        to many issues found there. The Qt developers have always preferred to
    4658        make releases at the same time as the rest of Qt (rather than adding
    47         emergency fixes). Now that they are keen to move to Qt6, the 5.15.3 and
    48         later Qt-5.15 releases are initially only available to paying customers.
    49         QtWebEngine is something of an exception because of its LGPL licence,
    50         but the source in git and its forked submodules is not neatly packaged.
    51         Until someone is able to build this on BLFS, using this package and
    52         browsers which use it leaves you open you to unpatched security
    53         vulnerabilities.
    54       </para>
    55     </caution>
     59        emergency fixes), but with stable versions getting released after the
     60        current development version. Now that they are keen to move to Qt6, the
     61        5.15.3 and later Qt-5.15 releases are initially only available to paying
     62        customers. QtWebEngine is something of an exception because of its LGPL
     63        licence, but getting the git sources (with the forked chromium submodule)
     64        to a position where they will successfully build on a current BLFS system
     65        can take a lot of effort and therefore updates to the book may be delayed.
     66      </para>
     67
     68      <para>
     69        It seems likely that future 5.15-series versions will also be released
     70        long after the chromium vulnerabilities are known.
     71      </para>
     72
     73      <para> <!-- for git versions -->
     74        The tarball linked to above was created from the 5.15 git branch
     75        at https://code.qt.io/cgit/qt/qtwebengine.git commit 029771bcd254
     76        just before the version there was rolled on for 5.15.4,
     77        <!-- the DTS doesn't let me put a url in a para -->
     78        <!--ulink url="https://code.qt.io/cgit/qt/qtwebengine.git/commit/?h=5.15&amp;id=029771bcd254"/>code.qt.io/cgit/qt/qtwebengine.git</ulink>-->
     79        with the chromium submodule using the 87-branch at revision 7c8217b36a95.
     80      </para>
     81    </warning>
     82
     83    <!-- note for editors on obtaining webengine from git.
     84      First (if you do not already have a past version)
     85      git clone git://code.qt.io/qt/qtwebengine.git
     86      git submodule init -
     87       that will report qtwebengine-chromium.git registered for src/3rdparty
     88       now find the main branch names:
     89      git fetch origin
     90      git branch -r
     91       after a release is prepared (even if the rest is not public), the 5.15
     92       branch is probably what you want
     93      git checkout origin/5.15
     94       Confirm that HEAD is where you expected.
     95       Now go to src/3rdparty
     96      git fetch origin
     97      git branch -r
     98       The required branch is likely to be 87-branch unless there is a newer one
     99      git checkout origin/87-branch (or whatever)
     100       Use git log or git tk to look at its HEAD and check it seems appropriate.
     101
     102      Now create tarballs - 'git archive' does not work across submodule boundaries,
     103      so you need to create one archive from the top of qtwebengine/ and another
     104      from the top of src/3rdparty (chromium, gn, ninja are apparently all part of
     105      the qtwebengine-chromium module).  Then in a work area untar the qtwebengine
     106      tarball, go down to src/3rdparty and untar the submodule tarball.
     107      Decide on what to call the result and create a full xz tarball using tar -cJf.
     108     -->
    56109
    57110    &lfs101_checked;
     
    116169        <para>
    117170          Required patch:
     171          <!-- keep links for releases and git versions as a reminder
     172               that the tarball names names differ -->
    118173          <ulink url="&patch-root;/qtwebengine-everywhere-src-&qtwebengine-version;-ICU68-2.patch"/>
    119         </para>
    120       </listitem>
    121       <listitem>
    122         <para>
    123           Required patch:
    124           <ulink url="&patch-root;/qtwebengine-everywhere-src-&qtwebengine-version;-glibc233-1.patch"/>
     174          <ulink url="&patch-root;/qtwebengine-&qtwebengine-version;-build_fixes-1.patch"/>
    125175        </para>
    126176      </listitem>
     
    132182      <!-- the qmake output tends to be misleading. 'khr' is from Mesa -->
    133183    <para role="required">
     184      <xref linkend="node"/>,
    134185      <xref linkend="nss"/>,
    135186      <xref linkend="python2"/>, and
     
    173224    <title>Installation of qtwebengine</title>
    174225
    175     <para>
    176       First, ensure that the local headers are available when not building as
     226    <note>
     227      <para>
     228        Unlike version 5.15.2, the chromium-derived build system now needs
     229        <command>python</command> to be available and to be python2. In
     230        BLFS-10.1 the creation of the python symlink was removed as a step
     231        towards eventually getting rid of python2 (other old packages which
     232        need python2 usually work by invoking python2). If you are still
     233        using an earlier version of BLFS where
     234        <filename>/usr/bin/python</filename> exists, you can skip the
     235        commands to create the symlink, and to later remove it.
     236      </para>
     237    </note>
     238
     239    <para>
     240      First, as the <systemitem class="username">root</systemitem>
     241      user, create the python symlink:
     242    </para>
     243
     244<screen role="root"><userinput>ln -svf /usr/bin/python{2,}</userinput></screen>
     245
     246    <para>
     247      Now apply a patch to fix several issues that can prevent the build working:
     248    </para>
     249
     250<screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-&qtwebengine-version;-build_fixes-1.patch</userinput></screen>
     251
     252<!-- start of commands for git versions only -->
     253    <para>
     254      Although the patch has ensured that git is not invoked during the build,
     255      the build system has labyrinthine rules of byzantine complexity, and in
     256      particular trying to build without two <filename>.git</filename> directories
     257      will lead to it eventually falling into unexpected and unbuildable code
     258      which references a private header that has not been created. Avoid this
     259      by creating the required directories:
     260    </para>
     261
     262<screen><userinput>mkdir -pv .git src/3rdparty/chromium/.git</userinput></screen>
     263
     264    <para>
     265      Because this version of qtwebengine is aimed at a later release than the
     266      current public releases, change it to build for qt-&qt5-version; using a
     267      sed:
     268    </para>
     269
     270<screen><userinput>sed -e '/^MODULE_VERSION/s/5.*/&qt5-version;/' -i .qmake.conf</userinput></screen>
     271<!-- end of commands for git versions only -->
     272
     273    <para>
     274      Now, ensure that the local headers are available when not building as
    177275      part of the complete <xref linkend="qt5"/>:
    178276    </para>
     
    180278<screen><userinput>find -type f -name "*.pr[io]" |
    181279  xargs sed -i -e 's|INCLUDEPATH += |&amp;$$QTWEBENGINE_ROOT/include |'</userinput></screen>
    182 
    183     <para>
    184       Next, apply a patch that fixes the build with system ICU version 68.1.
    185     </para>
    186 
    187 <screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-everywhere-src-&qtwebengine-version;-ICU68-2.patch</userinput></screen>
    188 
    189     <para>
    190       Now apply a patch to fix an issue introduced by glibc-2.33.
    191     </para>
    192 
    193 <screen><userinput remap="pre">patch -Np1 -i ../qtwebengine-everywhere-src-&qtwebengine-version;-glibc233-1.patch</userinput></screen>
    194280
    195281    <para>
     
    252338
    253339<screen role="root"><userinput>make install</userinput></screen>
     340
    254341    <!-- EDITORS NOTE: If you are updating this package, use INSTALL_ROOT=
    255342         instead of DESTDIR= -->
     
    269356<screen role="root"><userinput>find $QT5DIR/ -name \*.prl \
    270357   -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;</userinput></screen>
     358
     359    <para>
     360      Finally, as the <systemitem class="username">root</systemitem>
     361      user, remove the python symlink:
     362    </para>
     363
     364<screen role="root"><userinput>rm -v /usr/bin/python</userinput></screen>
    271365  </sect2>
    272366
     
    300394      ninja with the specified number of jobs (i.e. 4).
    301395      There are several reasons why you might want to do this:
    302       </para>
     396    </para>
    303397     
    304398      <itemizedlist>
     
    349443      </para>
    350444
     445      <para>
     446        If a browser using this package fails to run and when run
     447        from a term it reports 'Trace/breakpoint trap' that is
     448        probably a kernel configuration issue - there is no need
     449        to rebuild QtWebEngine, see the next section, recompile
     450        the kernel and reboot to the new kernel.
     451      </para>
     452
    351453    </sect3>
    352454
    353455  </sect2>
    354456
     457  <sect2 role="kernel" id="qtwebengine-kernel">
     458    <title>Kernel Configuration</title>
     459
     460    <para>
     461      Enable the following options in the kernel configuration and recompile the
     462      kernel if necessary:
     463    </para>
     464
     465<!-- Spaces are significant in <screen> sections -->
     466<screen><literal>General setup ---&gt;
     467  -*- Namespaces support ---&gt;
     468    [*]     UTS namespace                     [CONFIG_UTS_NS]
     469    [*]     TIME namespace                    [CONFIG_TIME_NS]
     470    [*]     IPC namespace                     [CONFIG_IPC_NS]
     471    [ ]     User namespace                    #CONFIG_USER_NS is not set
     472    [*]     PID namespace                     [CONFIG_PID_NS]
     473    [*]     Network namespace                 [CONFIG_NET_NS]</literal></screen>
     474
     475    <para>
     476      These are now the default options. Do <emphasis>NOT</emphasis> enable
     477      User namespace (CONFIG_USER_NS), it <emphasis>will</emphasis> cause
     478      libQtWebengineCore to crash.
     479    </para>
     480
     481    <indexterm zone="qtwebengine qtwebengine-kernel">
     482      <primary sortas="d-qtwebengine">qtwebengine</primary>
     483    </indexterm>
     484  </sect2>
    355485
    356486  <sect2 role="content">
  • xsoft/graphweb/falkon.xml

    r64b8189 r4eb513e  
    4242    </para>
    4343
    44     <caution>
     44    <warning>
    4545      <para>
    46         Falkon re;lies on QtWebEngine. That uses a forked copy of chromium, and
     46        Falkon relies on QtWebEngine. That uses a forked copy of chromium, and
    4747        is therefore vulnerable to many issues found there. The Qt developers
    4848        have always preferred to make releases at the same time as the rest of Qt
     
    5050        Qt6, the 5.15.3 and later Qt-5.15 releases are initially only available
    5151        to paying customers. QtWebEngine is something of an exception because of
    52         its LGPL licence, but the source in git and its forked submodules is not
    53         neatly packaged. Until someone is able to build this on BLFS, using
    54         falkon leaves you open you to unpatched security vulnerabilities.
     52        its LGPL licence, but getting the git sources (with the forked chromium
     53        submodule) to a point where they will successfully build on a current
     54        BLFS system can take a lot of effort. Be aware that future fixes for
     55        vulnerabilities might be very delayed, to the extent that you might wish
     56        to consider using a different browser.
    5557      </para>
    56     </caution>
     58    </warning>
    5759
    5860    &lfs101_checked;
Note: See TracChangeset for help on using the changeset viewer.