Samstag, 24. Juni 2017

Improving QtWebKit security for Fedora

The Qt port of the WebKit engine was unmaintained for years, until Konstantin Tokarev (also known as annulen) decided to pick it up about ten months ago. Within the last months he did an impressive job on getting QtWebKit up to date again, some days ago he released the second alpha of QtWebKit 5.212.0. As the current state of QtWebkit is really bad in Fedora, we always shipped the latest one from Qt upstream, but they did not do any backports of security fixes from upstream WebKit anymore, the KDE SIG now decided to move to the new community QtWebKit. Qt itself only supports the QtWebEngine based on Chromium, which itself has some issues (hard to maintain as we have to remove codec stuff, always some Chromium releases behind) , but more important: Many applications have not been ported and still use QtWebKit. With Konstantins work on QtWebKit it is possible to use them without all these unfixed security issues again. There are also some reasons to use QtWebKit instead of QtWebEngine, checkout the QtWebKit Wiki.

Within the last two weeks I worked on packaging the new QtWebKit and testing it with several browsers and KDE components to ensure that we do not break the world. So far it looks like new QtWebKit is what it is promised to be: a drop-in replacement for the old one, even without the need to recompile anything. For now our plan to get it in Fedora:

  • Provide a copr for wider testing, already done, checkout https://copr.fedorainfracloud.org/coprs/lupinix/qtwebkit-annulen/
  • Import into Rawhide (done)
  • Update all qt5-qtwebkit packages for Fedora 24+ when some more testing is done, current plan is a 0day update for Fedora 26 (we will not get it in before final freeze) and updates for Fedora 24 and 25 at the same time
Note that I'm talking about the Qt5 version of QtWebKit. There is no upstream support for Qt4 anymore, but it is still in Fedoras repositories. So Qt4 QtWebKit is still without any fixes, I guess we should retire it at some point, in the same way our WebKitGTK+ friends already did.

Donnerstag, 19. Januar 2017

LXQt Spin proposed for Fedora 26, new test build available

Around christmas we announced some initial effort for a Fedora LXQt remix/spin. After some weeks of testing and tuning, reworking translation packages and updating whole LXQt to 0.11.x (x>0) the LXQt SIG decided to propose the LXQt Spin for inclusion in Fedora 26.

The current selection of applications:

  • LXQt 0.11.x
  • PCManFM-Qt (LXQt file manager)
  • Ark (archiver, from KDE)
  • Dragon (media player, from KDE)
  • KCalc (calculator, from KDE)
  • KWrite (text editor, from KDE)
  • LXImage-Qt (image viewer)
  • Psi+ (XMPP client)
  • qBittorrent (torrent client)
  • Qlipper (clipboard tool)
  • qpdfview (pdf and ps viewer)
  • Quassel (IRC client)
  • QupZilla (web browser)
  • Trojita (IMAP mail client)
  • Yarock (music player)
The set of applications is not yet fixed, we've chosen some KDE applications as they are Qt5 based and integrate well while having a small dependency footprint. In cases where LXQt provides an application (e.g. LXImage-Qt image viewer), this one has been selected.

For configuration we included the LXQt config tools (lxqt-config and obconf-qt) of course, in addition we added lxappearance to be able to change GTK themes too. The theme itself is the Breeze theme known from KDE, it looks nice and is provided for GTK in addition, so the user can have a unified look. By default we've chosen the Openbox window manager, in addition the spin will contain KWin for those who like to have compositing etc.

For software management we included dnfdragora, a nice graphical frontend for DNF providing a nice Qt based GUI in our case (but as it uses libyui abstraction layer, it can use GTK and curses too, as known from SUSE YaST). This is not yet included in Fedora, but on a good way to arrive soon. Right now Kevin Kofler provides a COPR for it.

A new test build is available in the usual location, comments and ideas (like different applications which may fit better) should be shared in our project on pagure.

Freitag, 23. Dezember 2016

Creating Fedora 25 LXQt Remix

After some discussions and initial thoughts within LXQt SIG I decided to put a first Fedora 25 LXQt remix together. Now I'd like to share the idea to get some input, especially on selection of applications 😊

LXQt in Fedora – the current state

We have packages and a package group in Fedora for quite a while now. It was submitted as a change in Fedora 22.
Up-to-date packages (version 0.11.x) are available for all supported Fedora releases and EPEL 7, but right now there is no live spin for this nice desktop. Fedora already provides a nice selection of spins for Cinnamon, LXDE, MATE, Plasma and Xfce. As LXQt is a growing project and some other distributions already provide (e.g. Manjaro) or develop (e.g. Lubuntu) LXQt versions of their distributions, Fedora should not wait any longer, especially as most packaging is done. The Fedora LXQt SIG also got some requests for a spin by users. As I made experiences on composing spins when I created Fedora Astronomy, I decided to change this.

Fedora LXQt – Spin or Remix?

A spin is an official compose of Fedora which went through the process of community discussions, trademark approval etc. and is integrated into Fedora's release engineering. A Fedora Remix on the other hand is a non-official project which is based on Fedora but not approved by the Fedora project itself. In case of the LXQt Remix, which is 100% based on Fedora, we provide it in that way first as we want to get some community input. It would not be possible to provide an official LXQt Spin for 25. For Fedora 26 we plan to submit the LXQt spin as a change, so if everything works fine we'll have an official Fedora LXQt Spin then 😊

The remix – current state

We are starting from scratch, the first step was to create a working live image. This has been done now, the remix contains a very basic LXQt desktop with a very limited set of packages (almost nothing except a browser (QupZilla), a terminal (qterminal) and the Qt port of the PCManFM file manager). For the official spin this has to be changed of course, we already have a list of Qt based applications to enhance it. This includes tools the typical set of applications like instant messaging, media player etc. Also the spin needs a proper theme, the default looks like it's from the 90ies 😛 So you'll get a very first impression, hopefully there will be huge development until Fedora 26 final release. But IMHO it is better to have some kind of working basis than discussing things in theory (probably forever).

This is also an important point where you can help us! Do you have preferred (Qt based) applications you'd like to see in an official spin? E.g. which media player do you prefer?

Finally: How to test?

ISO Images
Pagure project
Please report issues using pagure

Sonntag, 15. Mai 2016

Init

So finally I decided to create a blog too :) Will post about my Fedora and other free software related actitivies here.