qtwebkit: Mark known vulnerable

[mweinelt]

The browser engine is based off an old Webkit version, receives no security backports, does no releases.

The WebKitGTK people have counted over 500 CVEs they fixed since 2016.

Adding known vulnerable to make people aware they're using a browser engine that is not up to todays standards and could very likely be easily compromised.

https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/
qutebrowser/qutebrowser#4039 (comment)
https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mweinelt]

52 packages affected:

• alkimia (†8.1.1)
• apitrace (†7.1-572-g26966134)
• apmplanner2 (†2.0.28)
• brewtarget (†2.3.1)
• calligra (†3.2.1)
• cb2bib (†2.0.0)
• fontmatrix (†0.6.0-qt5)
• foxitreader (†2.4.4.0911)
• goldendict (†2022-05-10)
• kdev-php (†22.08.3)
• kdev-python (†22.08.3)
• kdevelop (†22.08.3)
• kdevelop-with-plugins (†)
• kdewebkit (†5.99.0)
• kexi (†3.2.0)
• kmymoney (†5.1.3)
• kreport (†3.2.0)
• lsd2dsl (†0.5.4)
• mendeley (†1.19.5-stable_amd64)
• minizinc-ide (†2.5.5)
• mythtv (†31.0)
• nixnote2 (†2.0.2)
• notepadqq (†1.4.8)
• odoo (†15.0.20220506)
• omedit (†1.18.0)
• omshell (†1.18.0)
• openboard (†1.6.1)
• openlp (†2.4.6)
• openlp-full (†2.4.6)
• openmodelica-combined (†)
• openshot-qt (†2.6.1)
• pixinsight (†1.8.9-1)
• python3.10-PyQt5 (†5.15.7)
• python3.10-scudcloud (†1.65)
• python3.9-PyQt5 (†5.15.7)
• qgis (†3.22.10)
• qgis (†3.26.2)
• qlandkartegt (†1.8.1)
• qt-full (†5.12.10)
• qt-full (†5.14.2)
• qt-full (†5.15.7)
• qtwebkit (†5.212.0-alpha4)
• qtwebkit-plugins-unstable (†2017-01-25)
• quiterss (†0.19.4)
• rocs (†22.08.3)
• sleepyhead (†1.0.0-beta-git)
• smtube (†21.10.0)
• subsurface (†5.0.2)
• swift-im (†4.0.2)
• teamviewer (†15.29.4)
• trojita-unstable (†2022-08-22)
• wkhtmltopdf (†0.12.6)

[K900]

Our fork is somewhat more maintained, but still not particularly well maintained, definitely not on the same level as Chromium or others. Also, just checking the list of things that depend on it, the only thing that jumps out at me is kdevelop, and that can use qtwebengine so should probably just be switched over (it currently depends on both for some reason).

[K900]

Also checked rocs, also builds just fine without it.

[K900]

apitrace is another thing I might care about but ours is disturbingly outdated anyway. I'll look into it.

[K900]

apitrace update here: #201032

[jian-lin]

FYI, this fork of goldendict replaces qtwebkit with qtwebengine.

There is PR goldendict/goldendict#1542 to upstream.

[mweinelt]

FYI, this fork of goldendict replaces qtwebkit with qtwebengine.

cc @gebner @astsmtl @sikmir

[ajs124]

Does this PR count towards progress for #53079?

[K900]

Well, it drops at least two packages, so I'd say yes.

[gador]

teamviewer seems to be working fine without qtwebkit too

[mweinelt]

Feel free to provide a follow-up PR!

[vcunat]

Some of the newly disappeared packages still have meta.maintainers, so those might want to know:

• apmplanner2: @wucke13
• brewtarget: @mmahut
• calligra: @ebzzry, @zraexy
• cb2bib: @edwtjo
• goldendict: @gebner, @astsmtl, @sikmir
• kmymoney: @aidalgol, @das-g
• libsForQt5.kdewebkit: @ttuegel already requested, @nyanloutre
• libsForQt5.kreport: @zraexy
• libsForQt5.qtwebkit and -plugins: @abbradar, @periklis
• lsd2dsl: @sikmir
• minizincide: @dtzWill
• mythtv: @titanous
• nixnote2: @htr
• notepadqq: @rszibele
• odoo: @mkg20001
• openboard: @fufexan
• openmodelica.*: @balodja, @grwlf
• openshot-qt: @AndersonTorres
• qgis and qgis-ltr: @lsix, @sikmir, @erictapen, @willcohen
• qlandkartegt: @sikmir
• quiterss: @primeos
• scudcloud: @volhovm
• sleepyhead: @krav
• smtube: @vbgl
• swift-im: @orivej
• trojita: @ehmry
• wkhtmltopdf: @jb55

[vlinkz]

Yeah without that some qml parts of calamares break, but should be possible to pinpoint exactly which packages are needed instead. I'll look into it

[aidalgol]

Looks like kmymoney is affected by this because it takes kdewebkit as an input. What should it be using instead? Upstream's dependency list does not specify any specific web engine, but CMakeLists.txt tries to find WebEngineWidgets and WebKitWidgets.

[das-g]

PR to switch kmymoney from qtwebkit to qtwebengine: #201953

[AndersonTorres]

I believe pyqt5_with_qtwebkit is the one offending openshot.

[vlinkz]

• PR for calamares installation cd: Installation-cd: Remove libsForQt5.full #201991

[vcunat]

Note that qtwebengine currently depends on long-vulnerable python2, so it would also get dropped "soon", e.g. by PR #201859

[K900]

Arch has patches for building it with Python3, maybe we should yoink those: https://github.com/archlinux/svntogit-packages/tree/packages/qt5-webengine/trunk

[AndersonTorres]

#202059

[mweinelt]

Thanks everyone for helping clean up!

[tobiasBora]

I'm beaten by this bug when I put full, but qtbase is not enough to build the package (errors about UiTools). Is there a full-like package that only contains packages that build?

Edit: I ended up adding qttools, discovered using nix-locate. But still interested to here about a full that only contains valid packages.

[K900]

The package you want is qttools in nativeBuildInputs.

[tobiasBora]

Ahah thanks, I come up to the same conclusion using nix-locate, so I guess full should not be used anymore? Should'nt we provide a full-like for quick development? Also, what's the difference between qtbas of qtdeclarative?

[K900]

I'd say we should have never had a full-like. qtbase is QtCore and QtWidgets, qtdeclarative is, well, QtDeclarative.