qtwebengine notes from mitya57 (updated September 2019):

- lintian reports use of embedded libsrtp
- lintian reports use of embedded openjpeg
  - chromium has a patch: https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/system
- review use of touch_files in debian/rules -- are all of them still needed?
- lintian reports more source-is-missing errors:
  - source-is-missing src/3rdparty/chromium/tools/page_cycler/acid3/acid3.acidtests.org/index.html line length is 271 characters (>256)
  - source-is-missing src/3rdparty/chromium/tools/page_cycler/acid3/acid3.acidtests.org/index.html line length is 271 characters (>256)
  - source-is-missing src/3rdparty/chromium/third_party/skia/site/user/api/catalog.htm line length is 803 characters (>512)
- lintian reports privacy-breach-generic usr/lib/x86_64-linux-gnu/qt5/examples/webenginewidgets/videoplayer/data/index.html
  (embeds a page from youtube?)
- debugging symbols are completely disabled. Maybe use at least -g1 like qtwebkit does?
- copyright file needs updating (use decopy)
- reduce build logs size by using -Wno-class-memaccess -Wno-packed-not-aligned


qtwebengine notes from hefee (older):

# qtwebengine
http://pkgs.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/tree/
* still using internal copies ? we need to test this somehow
* does the patches from Fedora makes sense for Debian?
* cleanup copyright file / are there some files we need to delete, because they are propitary?


lintian:

E: qtwebengine-opensource-src source: source-is-missing examples/webenginewidgets/contentmanipulation/jquery.min.js

==> see #787527

E: qtwebengine-opensource-src source: source-is-missing examples/webenginewidgets/markdowneditor/resources/marked.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/analytics/google-analytics-bundle.js line length is 525 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/bidichecker/bidichecker_packaged.js line length is 513 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/excanvas.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.colorhelpers.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.canvas.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.categories.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.crosshair.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.errorbars.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.fillbetween.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.image.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.navigate.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.pie.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.resize.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.selection.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.stack.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.symbol.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.threshold.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.time.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/blanketjs/src/blanket.js line length is 4238 characters (>512)
W: qtwebengine-opensource-src source: configure-generated-file-in-source src/3rdparty/chromium/third_party/libxslt/linux/config.log
N:·
N:    Leaving config.cache/status causes autobuilders problems. config.cache
N:    and config.status are produced by GNU autoconf's configure scripts. If
N:    they are left in the source package, autobuilders may pick up settings
N:    for the wrong architecture.
N:····
N:    The clean rule in debian/rules should remove this file. This should
N:    ideally be done by fixing the upstream build system to do it when you
N:    run the appropriate cleaning command (and don't forget to forward the
N:    fix to the upstream authors so it doesn't happen in the next release).
N:    If that is already implemented, then make sure you are indeed cleaning
N:    it in the clean rule. If all else fails, a simple rm -f should work.
N:····
N:    Note that Lintian cannot reliably detect the removal in the clean rule,
N:    so once you fix this, please ignore or override this warning.
N:····
N:    Severity: normal, Certainty: possible
N:····
N:    Check: cruft, Type: source
N:·
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pyelftools/examples/sample_exe64.elf
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/readability/js/readability.js line length is 265 characters (>256)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations-next-lite.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations-next.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/dom_distiller_js/dist/js/domdistiller.js line length is 742 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/dom_distiller_js/dist/js/domdistiller_wrapped.js line length is 742 characters (>512)
E: qtwebengine-opensource-src source: license-problem-non-free-RFC-BCP78 src/3rdparty/chromium/third_party/libsrtp/srtp/doc/rfc3711.txt
N:·
N:    The given source file is licensed under the non-free RFC license
N:    (BCP78).
N:····
N:    The majority of IETF documents, such as RFCs, are not licensed under
N:    DFSG-free terms, and should thus not be included in Debian main.
N:····
N:    If this file is multi-licensed, please override the tag.
N:····
N:    If this is a false-positive, please report a bug against Lintian.
N:····
N:    Refer to https://wiki.debian.org/NonFreeIETFDocuments for details.
N:····
N:    Severity: serious, Certainty: possible
N:····
N:    Check: cruft, Type: source
N:·
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pycoverage/coverage/htmlfiles/jquery.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pycoverage/coverage/htmlfiles/jquery.tablesorter.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/ui/accessibility/extensions/highcontrast/highcontrast.js line length is 3045 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/acorn/acorn.js line length is 845 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/cm_modes/clojure.js line length is 536 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/cm_modes/php.js line length is 7403 characters (>512)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/network/RequestJSONView.js line length is 257 characters (>256)
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/skia/platform_tools/android/bin/linux/perfhost
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/skia/third_party/yasm/config/android/yasm
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Tools/Scripts/webkitpy/thirdparty/coverage/htmlfiles/jquery-1.4.3.min.js
E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Tools/Scripts/webkitpy/thirdparty/coverage/htmlfiles/jquery.tablesorter.min.js
W: qtwebengine-opensource-src source: syntax-error-in-dep5-copyright line 10: Continuation line outside a paragraph (maybe line 9 should be " .").
N:·
N:    The machine-readable copyright file didn't pass Debian control file
N:    syntax check.
N:····
N:    This issue may hide other issues as Lintian skips some checks on the
N:    file in this case.
N:····
N:    Refer to
N:    https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ for
N:    details.
N:····
N:    Severity: normal, Certainty: possible
N:····
N:    Check: source-copyright, Type: source
N:·
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/09/4754e50c62072c169adbbe52c1606b7bb1431e.debug
N:·
N:    The binary is installed as a detached "debug symbols" ELF file, but it
N:    does not appear to have debug information associated with it.
N:····
N:    Implementation detail: Lintian checks for the ".debug_line" and the
N:    ".debug_str" sections. If either of these are present, the binary is
N:    assumed to contain debug information.
N:····
N:    Refer to https://bugs.debian.org/668437 for details.
N:····
N:    Severity: normal, Certainty: possible
N:····
N:    Check: binaries, Type: binary, udeb
N:·
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/0d/6d7183c34e85d50c71631d44bce90f890dad25.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/12/bbdb9baeff2860f4ad9dfe65a3791e1e6eef61.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/1f/f0d589cf494f3e8152ff8255ab19e67ae5f777.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/29/88c212e282f68558a6eff59d110300484e8901.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/2a/d539920a8ec279d221ab1b4624a2f40e85c19b.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/34/23bf971ba229cfebc81c2c042fc363c5c58b63.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/4e/aeebe7db8c83561b4942e0abab5844daf4e454.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/92/b02b1bdd18f651f7d9dcce6202b6316d6c1150.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/a6/5aee895fd47f3e6b0ed0a453da9240aa51cbbc.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/b5/fa240214048fbcf3dd5c4538aa8abb30e2f701.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/bc/5cc900c7cf3d9644ad1e26a304778a2c13e859.debug
W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/cc/9ab11e5d04fa54ab3a67d0d54fac4155262b46.debug
W: libqt5webengine5-dbg: copyright-refers-to-deprecated-bsd-license-file
N:·
N:    The copyright file refers to /usr/share/common-licenses/BSD. Due to the
N:    brevity of this license, the specificity of this copy to code whose
N:    copyright is held by the Regents of the University of California, and
N:    the frequency of minor wording changes in the license, its text should
N:    be included in the copyright file directly rather than referencing this
N:    file.
N:····
N:    This file may be removed from a future version of base-files if
N:    references to it drop sufficiently.
N:····
N:    Refer to Debian Policy Manual section 12.5 (Copyright information) for
N:    details.
N:····
N:    Severity: minor, Certainty: certain
N:····
N:    Check: copyright-file, Type: binary
N:·
I: libqt5webengine5: hardening-no-bindnow usr/lib/x86_64-linux-gnu/libQt5WebEngine.so.5.6.1
N:·
N:    This package provides an ELF binary that lacks the "bindnow" linker
N:    flag.
N:····
N:    This is needed (together with "relro") to make the "Global Offset Table"
N:    (GOT) fully read-only. The bindnow feature trades startup time for
N:    improved security. Please consider enabling this feature or consider
N:    overriding the tag (possibly with a comment about why).
N:····
N:    If you use dpkg-buildflags, you may have to add hardening=+bindnow or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:····
N:    The relevant compiler flags are set in LDFLAGS.
N:····
N:    Refer to https://wiki.debian.org/Hardening for details.
N:····
N:    Severity: wishlist, Certainty: certain
N:····
N:    Check: binaries, Type: binary, udeb
N:·
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 lengH length
N:·
N:    Lintian found a spelling error in the given binary. Lintian has a list
N:    of common misspellings that it looks for. It does not have a dictionary
N:    like a spelling checker does.
N:····
N:    If the string containing the spelling error is translated with the help
N:    of gettext or a similar tool, please fix the error in the translations
N:    as well as the English text to avoid making the translations fuzzy. With
N:    gettext, for example, this means you should also fix the spelling
N:    mistake in the corresponding msgids in the *.po files.
N:····
N:    You can often find the word in the source code by running:
N:····
N:     grep -rw <word> <source-tree>
N:····
N:    This tag may produce false positives for words that contain non-ASCII
N:    characters due to limitations in strings.
N:····
N:    Severity: minor, Certainty: wild-guess
N:····
N:    Check: binaries, Type: binary, udeb
N:·
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 ment meant
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 fetaures features
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 Dont Don't
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 explict explicit
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 occured occurred
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 signficant significant
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 unrecogized unrecognized
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 emtpy empty
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 indeces indices
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 reserverd reserved
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 doesnt't doesn't
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 timout timeout
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 UNKOWN UNKNOWN
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 ofthe of the
I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 befor before
E: libqt5webengine5: embedded-library usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1: sqlite
N:·
N:    The given ELF object appears to have been statically linked to a
N:    library. Doing this is strongly discouraged due to the extra work needed
N:    by the security team to fix all the extra embedded copies or trigger the
N:    package rebuilds, as appropriate.
N:····
N:    If the package uses a modified version of the given library it is highly
N:    recommended to coordinate with the library's maintainer to include the
N:    changes on the system version of the library.
N:····
N:    Refer to Debian Policy Manual section 4.13 (Convenience copies of code)
N:    for details.
N:····
N:    Severity: serious, Certainty: possible
N:····
N:    Check: binaries, Type: binary, udeb
N:·
I: libqt5webengine5: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess
N:·
N:    This package provides an ELF executable that was not compiled as a
N:    position independent executable (PIE).
N:····
N:    PIE is required for fully enabling Address Space Layout Randomization
N:    (ASLR), which makes "Return-oriented" attacks more difficult.
N:····
N:    Historically, PIE has been associated with noticeable performance
N:    overhead on i386. However, GCC-5 has implemented an optimization that
N:    can reduce the overhead significantly.
N:····
N:    If you use dpkg-buildflags, you may have to add hardening=+pie or
N:    hardening=+all to DEB_BUILD_MAINT_OPTIONS.
N:····
N:    The relevant compiler flags must be passed both to the compiler and the
N:    linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS).
N:····
N:    CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable
N:    for all cases:
N:····
N:     * It is <not> compatible with -fPIC which required for
N:       compiling shared libraries.
N:     * It is unlikely to work when compiling static libraries or
N:       executables (gcc -static).
N:····
N:    If your upstream build compiles either of the above, you may have to
N:    patch the build to ensure that only ELF executables are compiled with
N:    PIE.
N:····
N:    Refer to https://wiki.debian.org/Hardening,
N:    https://gcc.gnu.org/gcc-5/changes.html, and
N:    https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode
N:    for details.
N:····
N:    Severity: wishlist, Certainty: certain
N:····
N:    Check: binaries, Type: binary, udeb
N:·
I: libqt5webengine5: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess
W: libqt5webengine5: copyright-refers-to-deprecated-bsd-license-file
I: libqt5webengine5: arch-dep-package-has-big-usr-share 23375kB 25%
N:·
N:    The package has a significant amount of architecture-independent data
N:    (over 4MB, or over 2MB and more than 50% of the package) in /usr/share
N:    but is an architecture-dependent package. This is wasteful of mirror
N:    space and bandwidth since it means distributing multiple copies of this
N:    data, one for each architecture.
N:····
N:    If the data in /usr/share is not architecture-independent, this is a
N:    Policy violation that should be fixed by moving the data elsewhere
N:    (usually /usr/lib).
N:····
N:    Refer to Debian Developer's Reference section 6.7.5
N:    (Architecture-independent data) for details.
N:····
N:    Severity: wishlist, Certainty: certain
N:····
N:    Check: huge-usr-share, Type: binary
N:·
I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1
N:·
N:    Although the package includes a shared library, the package does not
N:    have a symbols control file.
N:····
N:    dpkg can use symbols files in order to generate more accurate library
N:    dependencies for applications, based on the symbols from the library
N:    that are actually used by the application.
N:····
N:    Refer to the dpkg-gensymbols(1) manual page and
N:    https://wiki.debian.org/UsingSymbolsFiles for details.
N:····
N:    Severity: wishlist, Certainty: certain
N:····
N:    Check: shared-libs, Type: binary, udeb
N:·
I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngine.so.5.6.1
I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngineWidgets.so.5.6.1
W: qtwebengine5-doc-html: copyright-refers-to-deprecated-bsd-license-file
I: qml-module-qtwebengine: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/qml/QtWebEngine/experimental/libqtwebengineexperimentalplugin.so
I: qml-module-qtwebengine: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/qml/QtWebEngine/libqtwebengineplugin.so
W: qml-module-qtwebengine: copyright-refers-to-deprecated-bsd-license-file
I: qt5webengine-examples: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/examples/webengine/minimal/minimal
I: qt5webengine-examples: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/examples/webengine/minimal/minimal
I: qt5webengine-examples: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/examples/webengine/quicknanobrowser/quicknanobrowser
W: qt5webengine-examples: embedded-javascript-library usr/lib/x86_64-linux-gnu/qt5/examples/webenginewidgets/contentmanipulation/jquery.min.js please use libjs-jquery
N:·
N:    This package contains an embedded copy of JavaScript libraries that are
N:    now available in their own packages (for example, JQuery, Prototype,
N:    Mochikit or "Cropper"). Please depend on the appropriate package and
N:    symlink the library into the appropriate location.
N:····
N:    Refer to Debian Policy Manual section 4.13 (Convenience copies of code)
N:    for details.
N:····
N:    Severity: normal, Certainty: possible
N:····
N:    Check: files, Type: binary, udeb
N:·
W: qtwebengine5-doc: copyright-refers-to-deprecated-bsd-license-file
W: libqt5webengine5-dev: copyright-refers-to-deprecated-bsd-license-file
I: libqt5webengine5-dev: package-contains-empty-directory usr/include/x86_64-linux-gnu/qt5/QtWebEngineWidgets/5.6.1/
N:·
N:    This package installs an empty directory. This might be intentional but
N:    it's normally a mistake. If it is intentional, add a lintian override.
N:····
N:    If a package ships with or installs empty directories, you can remove
N:    them in debian/rules by calling:
N:····
N:     $ find path/to/base/dir -type d -empty -delete
N:····
N:    Severity: wishlist, Certainty: possible
N:····
N:    Check: files, Type: binary, udeb