On Thursday, 16 October 2025 01:48:31 Pacific Daylight Time Giuseppe D'Angelo via Development wrote: > Ideally, there should be a validation of all the 3rd party code shipped > with Qt as part of the release process. However this doesn't look > straighforward: we fetch libraries from many different repos, we have > custom build scripts, we just copy a subset of the files, sometimes we > patch them. So we can't just compare 3rdpart/foo/ with a fresh tarball > of libfoo. > > So, before we go further, is this a real problem, and do we want to > address it?
I think a simple few steps are a good idea, though implementation may be difficult. Ideally we'd do a cryptographic check that the input is exactly what it purports to be; a visual review of the upstream link will tell us that it is a release in a known website and/or a tag in the upstream repository. One thing to watch out for are "random commits" because in GitHub, they can be in any fork instead of the one in the link. The big issue that I can see is the how: unless we start importing the tarballs themselves, cryptographic verification is difficult. Could the bot re-do the steps as specified (download tarball or git checkout the tag, cryptographically verify, then apply any pending patches) and verify that the result is identical to the commit? I have a script I use to do most of that for $DAYJOB. For example, for the sqlite dependency, the input is: version=3500400 sources='https://www.sqlite.org/2025/sqlite-autoconf-${version}.tar.gz' checksum=sha256:a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18 and for the Intel ISA-L, which is a dependency that doesn't upload source tarballs to the GitHub release assets, it checks the Git tree's[1] SHA-1: version=2.31.1 git_url=https://github.com/intel/isa-l checksum=gitsha1:7c92b61963c5f114588c45dcd0c22ca45e777a97 Then a different script applies all *.patch files (lexicographically sorted) prior to building. Updating a dependency for us is simply updating the "version" line and the expected checksum. [1] we use the git tree because this script runs without Internet access during the container build process. With Internet access, I'd instead clone the repository and check out / git archive a Git tag, which will be sufficient verification. -- Thiago Macieira - thiago.macieira (AT) intel.com Principal Engineer - Intel Data Center Group
smime.p7s
Description: S/MIME cryptographic signature
-- Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
