Third Party Code in Qt: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
Manordheim (talk | contribs) mNo edit summary |
||
| (15 intermediate revisions by 7 users not shown) | |||
| Line 3: | Line 3: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
!repository!!Qt module | !repository!!Qt module!!3rdparty module!!processed untrusted content!!patches!!upstream!!upgrade process | ||
|- | |- | ||
|qtbase||Qt Core||pcre2||regular expressions||-|| | |qtbase||Qt Core||pcre2||regular expressions||-||http://www.pcre.org/<nowiki/>||Routine pre-release checks of their release [https://github.com/PCRE2Project/pcre2/releases page] on GitHub. Their front-page is lagging a little behind at time of writing. | ||
|- | |- | ||
|qtbase | |qtbase | ||
|Qt Core | |||
|sha1 | |||
|arbitrary stream of bytes | |||
| - | |||
|https://www.dominik-reichl.de/projects/csha1/ | |||
|Replace the .cpp file with the new version from upstream | |||
|- | |- | ||
|qtbase||Qt Core||zlib||zlib compressed data||build fixes for Windows and Apple; exporting symbols | |qtbase | ||
|Qt Core | |||
|sha{224,256,384,512} | |||
|arbitrary stream of bytes | |||
| - | |||
|https://www.rfc-editor.org/rfc/rfc6234#section-8 | |||
|None, maybe look at errata or CVEs | |||
|- | |||
|qtbase | |||
|Qt Core | |||
|sha3 | |||
|arbitrary stream of bytes | |||
|A patch that addresses CVE-2022-37454 | |||
|https://keccak.team/archives.html | |||
|None, the upstream implementation is obsolete. Look for CVEs | |||
|- | |||
|qtbase||Qt Core||tinycbor||Streaming CBOR object||-||https://github.com/intel/tinycbor<nowiki/>||Thiago is its maintainer, so brings us updates when he makes them. | |||
|- | |||
|qtbase||Qt Core||zlib||zlib compressed data||build fixes for Windows and Apple; exporting symbols||http://zlib.net/<nowiki/>||Routine pre-release check of their front page, which links the latest release. | |||
|- | |- | ||
|qtbase||Qt GUI||harfbuzz-ng||fonts||-|| | |qtbase||Qt GUI||harfbuzz-ng||fonts||-|| | ||
|- | |- | ||
|qtbase||Qt GUI||freetype||fonts||-|| | |qtbase||Qt GUI||freetype||fonts||-||https://gitlab.freedesktop.org/freetype<nowiki/>||fetch latest tar-ball, run [https://code.qt.io/cgit/qt/qtbase.git/tree/src/3rdparty/freetype/import_from_tarball.sh script]. Might involve manual fixing of license and build system files, depending on what changed upstream. | ||
|- | |- | ||
|qtbase||Qt GUI||libpng||PNG images|| | |qtbase||Qt GUI||libpng||PNG images||-||http://www.libpng.org/pub/png/libpng.html | ||
| | |||
|- | |- | ||
|qtbase||Qt GUI||libjpeg||JPEG images||-|| | |qtbase||Qt GUI||libjpeg||JPEG images||-||https://sourceforge.net/projects/libjpeg-turbo/ | ||
| | |||
|- | |- | ||
|qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| | |qtbase||Qt GUI||md4c||markdown text||Fix compiler warnings with MSVC|| || | ||
|- | |- | ||
|qtbase||Qt Network||Public Suffix List||only indirectly||-|| | |qtbase||Qt Network||Public Suffix List||only indirectly||-||https://publicsuffix.org/list/ | ||
https://github.com/publicsuffix/list | |||
|Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat) | |||
Then, for >=6.5 | |||
- follow the instructions in src/3rdparty/libpsl/README.txt | |||
For 6.2 (while it's supported) (easiest on Linux/Unix): | |||
- Build the tool in ./util/publicSuffix | |||
- Run once to see instructions | |||
- Follow the instructions | |||
- You have to manually replace the appropriate section of qurltlds_p.h | |||
For 5.15 (while it's supported) (easiest on Linux/Unix) | |||
- Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location | |||
- note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch | |||
Finally, for all versions: | |||
Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo. | |||
Basically just go through commits from the top until you see the changes from that commit in the .dat file. | |||
|- | |- | ||
|qtbase||Qt SQL||sqlite||SQL database files and queries||-|| | |qtbase||Qt SQL||sqlite||SQL database files and queries||-||https://sqlite.org | ||
|Download the latest source code amalgation package and unzip into relevant directory | |||
|- | |- | ||
|qtimageformats||Qt ImageFormats||libtiff|| | |qtimageformats||Qt ImageFormats||libtiff||TIFF images||-||https://gitlab.com/libtiff/libtiff<nowiki/>|| | ||
|- | |||
|qtimageformats||Qt ImageFormats||libwebp||webp images||-||https://developers.google.com/speed/webp | |||
| | |||
|- | |- | ||
| | |qtmultimedia||Qt Multimedia||FFmpeg||Decoding compressed audio & video||FFmpeg is provisioned in CI and used by the binary packages|| || | ||
|- | |- | ||
|qtmultimedia | |qtmultimedia||Qt Spatial Audio||Eigen||Processing of audio data||-|| || | ||
|Qt | |||
| | |||
| | |||
| | |||
| | |||
|- | |- | ||
|qtmultimedia | |qtmultimedia||Qt Spatial Audio||pffft||Processing of audio data||-|| || | ||
|Qt Spatial Audio | |||
| | |||
|Processing of audio data | |||
| | |||
| | |||
|- | |- | ||
|qtmultimedia | |qtmultimedia||Qt Spatial Audio||resonance audio||Processing of audio data||-|| || | ||
|Qt Spatial Audio | |||
| | |||
|Processing of audio data | |||
| | |||
| | |||
|- | |- | ||
| | |qtquick3d||Qt Quick 3D||assimp||3D assets||-|| || | ||
|Qt | |||
| | |||
| | |||
| | |||
| | |||
|- | |- | ||
|qtquick3d||Qt Quick 3D|| | |qtquick3d||Qt Quick 3D||tinyexr||Loading EXR images||-|| || | ||
|- | |- | ||
| | |qtquick3dphysics||Qt Quick 3D Physics||PhysX||Read/write meshes||Build fixes||https://github.com/NVIDIAGameWorks/PhysX<nowiki/>||See src/3rdparty/PhysX/README.md | ||
|} | |} | ||
Latest revision as of 08:39, 27 September 2023
This page provides security- and maintenance-relevant information for the 3rd party code in Qt. For a complete list of 3rd party modules, including the currently included version, see the documentation page with the list of licenses used in Qt.
| repository | Qt module | 3rdparty module | processed untrusted content | patches | upstream | upgrade process |
|---|---|---|---|---|---|---|
| qtbase | Qt Core | pcre2 | regular expressions | - | http://www.pcre.org/ | Routine pre-release checks of their release page on GitHub. Their front-page is lagging a little behind at time of writing. |
| qtbase | Qt Core | sha1 | arbitrary stream of bytes | - | https://www.dominik-reichl.de/projects/csha1/ | Replace the .cpp file with the new version from upstream |
| qtbase | Qt Core | sha{224,256,384,512} | arbitrary stream of bytes | - | https://www.rfc-editor.org/rfc/rfc6234#section-8 | None, maybe look at errata or CVEs |
| qtbase | Qt Core | sha3 | arbitrary stream of bytes | A patch that addresses CVE-2022-37454 | https://keccak.team/archives.html | None, the upstream implementation is obsolete. Look for CVEs |
| qtbase | Qt Core | tinycbor | Streaming CBOR object | - | https://github.com/intel/tinycbor | Thiago is its maintainer, so brings us updates when he makes them. |
| qtbase | Qt Core | zlib | zlib compressed data | build fixes for Windows and Apple; exporting symbols | http://zlib.net/ | Routine pre-release check of their front page, which links the latest release. |
| qtbase | Qt GUI | harfbuzz-ng | fonts | - | ||
| qtbase | Qt GUI | freetype | fonts | - | https://gitlab.freedesktop.org/freetype | fetch latest tar-ball, run script. Might involve manual fixing of license and build system files, depending on what changed upstream. |
| qtbase | Qt GUI | libpng | PNG images | - | http://www.libpng.org/pub/png/libpng.html | |
| qtbase | Qt GUI | libjpeg | JPEG images | - | https://sourceforge.net/projects/libjpeg-turbo/ | |
| qtbase | Qt GUI | md4c | markdown text | Fix compiler warnings with MSVC | ||
| qtbase | Qt Network | Public Suffix List | only indirectly | - | https://publicsuffix.org/list/ | Download the recent version of the list (https://publicsuffix.org/list/public_suffix_list.dat)
Then, for >=6.5 - follow the instructions in src/3rdparty/libpsl/README.txt For 6.2 (while it's supported) (easiest on Linux/Unix): - Build the tool in ./util/publicSuffix - Run once to see instructions - Follow the instructions - You have to manually replace the appropriate section of qurltlds_p.h For 5.15 (while it's supported) (easiest on Linux/Unix) - Same as for 6.2, except the tool is located in util/corelib/qurl-generateTLDs, and the qurltlds file is in another location - note: the instructions in 5.15 require stripping comments from the .dat file, which is different to the 6.2 branch
Bump qt_attribution.json SHA to the SHA the .dat file was generated from in their repo. Basically just go through commits from the top until you see the changes from that commit in the .dat file. |
| qtbase | Qt SQL | sqlite | SQL database files and queries | - | https://sqlite.org | Download the latest source code amalgation package and unzip into relevant directory |
| qtimageformats | Qt ImageFormats | libtiff | TIFF images | - | https://gitlab.com/libtiff/libtiff | |
| qtimageformats | Qt ImageFormats | libwebp | webp images | - | https://developers.google.com/speed/webp | |
| qtmultimedia | Qt Multimedia | FFmpeg | Decoding compressed audio & video | FFmpeg is provisioned in CI and used by the binary packages | ||
| qtmultimedia | Qt Spatial Audio | Eigen | Processing of audio data | - | ||
| qtmultimedia | Qt Spatial Audio | pffft | Processing of audio data | - | ||
| qtmultimedia | Qt Spatial Audio | resonance audio | Processing of audio data | - | ||
| qtquick3d | Qt Quick 3D | assimp | 3D assets | - | ||
| qtquick3d | Qt Quick 3D | tinyexr | Loading EXR images | - | ||
| qtquick3dphysics | Qt Quick 3D Physics | PhysX | Read/write meshes | Build fixes | https://github.com/NVIDIAGameWorks/PhysX | See src/3rdparty/PhysX/README.md |