| 18 Aug 2025 |
 emily | because it's just … choosing what error people get | 16:27:44 |
 Grimmauld (any/all) | fair enough | 16:27:54 |
| emily | or at least we can get a PR up marking it as vulnerable and land them together | 16:27:57 |
| emily | https://github.com/jellyfin/jellyfin-media-player/pull/844 does not look like anyone is putting real work into it | 16:28:33 |
| Grimmauld (any/all) | should we dig out like 20 CVEs that affect the old qtwebengine or do we not bother and just slap it with some text? | 16:29:03 |
 K900 | Probably fine to just say "uses outdated chromium version, figure it out" | 16:30:54 |
| emily | "EOL since April 2025, vulnerable to all Chromium CVEs since then" | 16:32:03 |
| emily | (well, technically there can be CVEs that don't apply to their ancient Chromium) | 16:32:21 |
| emily | (…there can also be CVEs that apply only to their ancient Chromium) | 16:32:33 |
| emily | it's Chromium 87, from 2020 | 16:33:20 |
| emily | with half a decade of backported security patches | 16:33:25 |
| emily | and from what I've seen/heard, they were not super proactive about being very diligent about those backports | 16:33:36 |
| emily | to be frank, I would not use Qt 6 WebEngine for a daily-driving browser either | 16:33:48 |
| Grimmauld (any/all) | oh hell no | 16:33:59 |
| Grimmauld (any/all) | anyways, i need to pop out, i'll catch up later | 16:34:53 |
| K900 | I don't think they say you should | 16:37:17 |
| emily | I dunno. I doubt the Qt company would say "Qt is not suitable for writing web browsers". | 16:37:40 |
| emily | though they do say "The Qt WebEngine module provides a web browser engine that makes it easy to embed content from the World Wide Web into your Qt application on platforms that do not have a native web engine." 🤔 | 16:37:49 |
| emily | doesn't KDE have a browser | 16:38:37 |
| K900 | Ish | 16:38:50 |
| emily | does Falkon use Web Engine? | 16:38:53 |
| K900 | KDE is a giant mess of things | 16:38:55 |
| K900 | It does | 16:38:58 |
| K900 | Falkon is also like | 16:39:01 |
| K900 | Developed by one guy and not even Neon ships it by default | 16:39:08 |
| emily | fair enough | 16:39:14 |
| emily | (I wish KDE was more coherent) | 16:39:23 |
| K900 | "KDE" has about as much of a security posture as nixpkgs | 16:39:29 |
| emily | (though even GNOME is a somewhat nebulous thing) | 16:39:32 |
| emily | (but they seem to apply a fair amount of curation to e.g. Circle. as befitting their natural authoritarian tendencies i suppose :P) | 16:39:57 |
