| 18 Aug 2025 |
 K900 ⚡️ | It's pretty active | 16:25:26 |
 emily | I know fcitx is very popular with Chinese users | 16:25:29 |
| emily | but not sure if that package specifically is | 16:25:35 |
 Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/398783#issuecomment-2824682603
We need this no matter what since it is security relevant and will block further security updates in the future.
Sandro actually had a good point here. And as such on 25.05 the libsoup2 usage is below 100 too
| 16:26:27 |
| emily | https://github.com/jellyfin/jellyfin-media-player/pull/599 😔 | 16:26:41 |
| emily | well I just mean I see people complaining regularly about all their stuff being broken because of it | 16:27:00 |
| Grimmauld (any/all) | but thats offtopic here, would continue that in #security-discuss:nixos.org , lets get back to qtwebengine | 16:27:08 |
| emily | backporting that kind of stuff hurts | 16:27:06 |
| emily | I'm satisfied by the list here though, I think we can move forward with it | 16:27:20 |
| emily | I don't think we need to block Plasma removal on it | 16:27:34 |
| emily | er, vice versa | 16:27:42 |
| emily | because it's just … choosing what error people get | 16:27:44 |
| Grimmauld (any/all) | fair enough | 16:27:54 |
| emily | or at least we can get a PR up marking it as vulnerable and land them together | 16:27:57 |
| emily | https://github.com/jellyfin/jellyfin-media-player/pull/844 does not look like anyone is putting real work into it | 16:28:33 |
| Grimmauld (any/all) | should we dig out like 20 CVEs that affect the old qtwebengine or do we not bother and just slap it with some text? | 16:29:03 |
| K900 ⚡️ | Probably fine to just say "uses outdated chromium version, figure it out" | 16:30:54 |
| emily | "EOL since April 2025, vulnerable to all Chromium CVEs since then" | 16:32:03 |
| emily | (well, technically there can be CVEs that don't apply to their ancient Chromium) | 16:32:21 |
| emily | (…there can also be CVEs that apply only to their ancient Chromium) | 16:32:33 |
| emily | it's Chromium 87, from 2020 | 16:33:20 |
| emily | with half a decade of backported security patches | 16:33:25 |
| emily | and from what I've seen/heard, they were not super proactive about being very diligent about those backports | 16:33:36 |
| emily | to be frank, I would not use Qt 6 WebEngine for a daily-driving browser either | 16:33:48 |
| Grimmauld (any/all) | oh hell no | 16:33:59 |
| Grimmauld (any/all) | anyways, i need to pop out, i'll catch up later | 16:34:53 |
| K900 ⚡️ | I don't think they say you should | 16:37:17 |
| emily | I dunno. I doubt the Qt company would say "Qt is not suitable for writing web browsers". | 16:37:40 |
| emily | though they do say "The Qt WebEngine module provides a web browser engine that makes it easy to embed content from the World Wide Web into your Qt application on platforms that do not have a native web engine." 🤔 | 16:37:49 |
| emily | doesn't KDE have a browser | 16:38:37 |
