Opened 4 months ago
Closed 4 months ago
#20743 closed enhancement (fixed)
qt6-6.8.1 qtwebengine-6.8.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (11)
comment:1 by , 4 months ago
| Priority: | normal → high |
|---|
comment:2 by , 4 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 4 months ago
When I've got this update done I will send an email to the lists due to it's critical nature
comment:4 by , 4 months ago
Release notes for Qt6 can be found at https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.8.1/release-note.md
comment:5 by , 4 months ago
I've been encountering some issues trying to build this package that I think are related to https://bugreports.qt.io/browse/QTBUG-130557
Qt 6.8.1 has a Software Bill Of Materials, see https://www.qt.io/blog/qt-6.8-software-bill-of-materials
Theee problem is that it's generating the SBOM with build time paths, similar to what we've encountered in the past with PRL files. https://codereview.qt-project.org/c/qt/qtbase/+/609177/2/cmake/QtPublicSbomHelpers.cmake contains a fix for Qt 6.8, but I think the best approach for now may be to pass -no-sbom.
The build failure in question happens during the install stage (which makes this really annoying...):
-- Starting SBOM generation in build dir: /sources/scratchspace/qt-everywhere-src-6.8.1 /qt-everywhere-src-6.8.1/qtimageformats/qt_sbom/staging-qtimageformats.spdx.in CMake Error at qtimageformats/qt_sbom/DocumentRef-qtbase.cmake:11 (message): Could not find external SBOM document sbom/qtbase-6.8.1.spdx in any of the document dir paths: /sources/scratchspace/qt-everywhere-src-6.8.1/install/opt/qt6;/sources/scratchspace /qt-everywhere-src-6.8.1/qt-everywhere-src-6.8.1/qtbase/qt_sbom;/sources/scratchspace /qt-everywhere-src-6.8.1/qt-everywhere-src-6.8.1/qtimageformats/qt_sbom;/sources /scratchspace/qt-everywhere-src-6.8.1/qt-everywhere-src-6.8.1/qtbase Call Stack (most recent call first): qtimageformats/qt_sbom/assemble_sbom.cmake:32 (include) qtimageformats/cmake_install.cmake:62 (include) cmake_install.cmake:52 (include) FAILED: CMakeFiles/install.util cd /sources/scratchspace/qt-everywhere-src-6.8.1/qt-everywhere-src-6.8.1 && /usr/bin/cmake -P cmake_install.cmake ninja: build stopped: subcommand failed. 3242.9 Elasped Time - qt-everywhere-src-6.8.1
Note that I added newlines to make it fit in Trac :)
comment:6 by , 4 months ago
There are well over 10 warnings output for qtbase/cmake/QtPublicSbomGenerationHelpers.cmake throughout the CMake process too
follow-up: 10 comment:9 by , 4 months ago
I do not see any reason users need a "Software Bill Of Materials". I agree with your fix. However it may be useful for editors. Perhaps the process to create the sbom should be documented in the page comments.
comment:10 by , 4 months ago
Replying to Bruce Dubbs:
I do not see any reason users need a "Software Bill Of Materials". I agree with your fix. However it may be useful for editors. Perhaps the process to create the sbom should be documented in the page comments.
I agree with you for our users at least, they don't need a SBOM. I'll make sure to add some comments in the page about it :)
comment:11 by , 4 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 3feb24deed03b1e19a4bb4ec55e738241a576d57
SA-12.2-052 issued
Qt6 doesn't have any security issues, but QtWebEngine does...
Fixed:
CVE-2024-10487 has gotten quite a bit of news coverage as it's an RCE issue and was reported to Google by Apple. It affects the common WebGPU implementation used by Firefox and Safari, but those are already fixed.