qtwebengine notes from mitya57 (updated September 2019): - lintian reports use of embedded libsrtp - lintian reports use of embedded openjpeg - chromium has a patch: https://salsa.debian.org/chromium-team/chromium/tree/master/debian/patches/system - review use of touch_files in debian/rules -- are all of them still needed? - lintian reports more source-is-missing errors: - source-is-missing src/3rdparty/chromium/tools/page_cycler/acid3/acid3.acidtests.org/index.html line length is 271 characters (>256) - source-is-missing src/3rdparty/chromium/tools/page_cycler/acid3/acid3.acidtests.org/index.html line length is 271 characters (>256) - source-is-missing src/3rdparty/chromium/third_party/skia/site/user/api/catalog.htm line length is 803 characters (>512) - lintian reports privacy-breach-generic usr/lib/x86_64-linux-gnu/qt5/examples/webenginewidgets/videoplayer/data/index.html (embeds a page from youtube?) - debugging symbols are completely disabled. Maybe use at least -g1 like qtwebkit does? - copyright file needs updating (use decopy) - reduce build logs size by using -Wno-class-memaccess -Wno-packed-not-aligned qtwebengine notes from hefee (older): # qtwebengine http://pkgs.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/tree/ * still using internal copies ? we need to test this somehow * does the patches from Fedora makes sense for Debian? * cleanup copyright file / are there some files we need to delete, because they are propitary? lintian: E: qtwebengine-opensource-src source: source-is-missing examples/webenginewidgets/contentmanipulation/jquery.min.js ==> see #787527 E: qtwebengine-opensource-src source: source-is-missing examples/webenginewidgets/markdowneditor/resources/marked.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/analytics/google-analytics-bundle.js line length is 525 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/bidichecker/bidichecker_packaged.js line length is 513 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/excanvas.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.colorhelpers.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.canvas.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.categories.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.crosshair.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.errorbars.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.fillbetween.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.image.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.navigate.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.pie.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.resize.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.selection.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.stack.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.symbol.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.threshold.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.flot.time.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/flot/jquery.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/blanketjs/src/blanket.js line length is 4238 characters (>512) W: qtwebengine-opensource-src source: configure-generated-file-in-source src/3rdparty/chromium/third_party/libxslt/linux/config.log N:· N: Leaving config.cache/status causes autobuilders problems. config.cache N: and config.status are produced by GNU autoconf's configure scripts. If N: they are left in the source package, autobuilders may pick up settings N: for the wrong architecture. N:···· N: The clean rule in debian/rules should remove this file. This should N: ideally be done by fixing the upstream build system to do it when you N: run the appropriate cleaning command (and don't forget to forward the N: fix to the upstream authors so it doesn't happen in the next release). N: If that is already implemented, then make sure you are indeed cleaning N: it in the clean rule. If all else fails, a simple rm -f should work. N:···· N: Note that Lintian cannot reliably detect the removal in the clean rule, N: so once you fix this, please ignore or override this warning. N:···· N: Severity: normal, Certainty: possible N:···· N: Check: cruft, Type: source N:· E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pyelftools/examples/sample_exe64.elf E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/readability/js/readability.js line length is 265 characters (>256) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations-next-lite.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations-next.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/web-animations-js/sources/web-animations.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/dom_distiller_js/dist/js/domdistiller.js line length is 742 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/dom_distiller_js/dist/js/domdistiller_wrapped.js line length is 742 characters (>512) E: qtwebengine-opensource-src source: license-problem-non-free-RFC-BCP78 src/3rdparty/chromium/third_party/libsrtp/srtp/doc/rfc3711.txt N:· N: The given source file is licensed under the non-free RFC license N: (BCP78). N:···· N: The majority of IETF documents, such as RFCs, are not licensed under N: DFSG-free terms, and should thus not be included in Debian main. N:···· N: If this file is multi-licensed, please override the tag. N:···· N: If this is a false-positive, please report a bug against Lintian. N:···· N: Refer to https://wiki.debian.org/NonFreeIETFDocuments for details. N:···· N: Severity: serious, Certainty: possible N:···· N: Check: cruft, Type: source N:· E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pycoverage/coverage/htmlfiles/jquery.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/pycoverage/coverage/htmlfiles/jquery.tablesorter.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/ui/accessibility/extensions/highcontrast/highcontrast.js line length is 3045 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/acorn/acorn.js line length is 845 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/cm_modes/clojure.js line length is 536 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/cm_modes/php.js line length is 7403 characters (>512) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/network/RequestJSONView.js line length is 257 characters (>256) E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/skia/platform_tools/android/bin/linux/perfhost E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/skia/third_party/yasm/config/android/yasm E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Tools/Scripts/webkitpy/thirdparty/coverage/htmlfiles/jquery-1.4.3.min.js E: qtwebengine-opensource-src source: source-is-missing src/3rdparty/chromium/third_party/WebKit/Tools/Scripts/webkitpy/thirdparty/coverage/htmlfiles/jquery.tablesorter.min.js W: qtwebengine-opensource-src source: syntax-error-in-dep5-copyright line 10: Continuation line outside a paragraph (maybe line 9 should be " ."). N:· N: The machine-readable copyright file didn't pass Debian control file N: syntax check. N:···· N: This issue may hide other issues as Lintian skips some checks on the N: file in this case. N:···· N: Refer to N: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ for N: details. N:···· N: Severity: normal, Certainty: possible N:···· N: Check: source-copyright, Type: source N:· W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/09/4754e50c62072c169adbbe52c1606b7bb1431e.debug N:· N: The binary is installed as a detached "debug symbols" ELF file, but it N: does not appear to have debug information associated with it. N:···· N: Implementation detail: Lintian checks for the ".debug_line" and the N: ".debug_str" sections. If either of these are present, the binary is N: assumed to contain debug information. N:···· N: Refer to https://bugs.debian.org/668437 for details. N:···· N: Severity: normal, Certainty: possible N:···· N: Check: binaries, Type: binary, udeb N:· W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/0d/6d7183c34e85d50c71631d44bce90f890dad25.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/12/bbdb9baeff2860f4ad9dfe65a3791e1e6eef61.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/1f/f0d589cf494f3e8152ff8255ab19e67ae5f777.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/29/88c212e282f68558a6eff59d110300484e8901.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/2a/d539920a8ec279d221ab1b4624a2f40e85c19b.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/34/23bf971ba229cfebc81c2c042fc363c5c58b63.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/4e/aeebe7db8c83561b4942e0abab5844daf4e454.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/92/b02b1bdd18f651f7d9dcce6202b6316d6c1150.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/a6/5aee895fd47f3e6b0ed0a453da9240aa51cbbc.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/b5/fa240214048fbcf3dd5c4538aa8abb30e2f701.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/bc/5cc900c7cf3d9644ad1e26a304778a2c13e859.debug W: libqt5webengine5-dbg: debug-file-with-no-debug-symbols usr/lib/debug/.build-id/cc/9ab11e5d04fa54ab3a67d0d54fac4155262b46.debug W: libqt5webengine5-dbg: copyright-refers-to-deprecated-bsd-license-file N:· N: The copyright file refers to /usr/share/common-licenses/BSD. Due to the N: brevity of this license, the specificity of this copy to code whose N: copyright is held by the Regents of the University of California, and N: the frequency of minor wording changes in the license, its text should N: be included in the copyright file directly rather than referencing this N: file. N:···· N: This file may be removed from a future version of base-files if N: references to it drop sufficiently. N:···· N: Refer to Debian Policy Manual section 12.5 (Copyright information) for N: details. N:···· N: Severity: minor, Certainty: certain N:···· N: Check: copyright-file, Type: binary N:· I: libqt5webengine5: hardening-no-bindnow usr/lib/x86_64-linux-gnu/libQt5WebEngine.so.5.6.1 N:· N: This package provides an ELF binary that lacks the "bindnow" linker N: flag. N:···· N: This is needed (together with "relro") to make the "Global Offset Table" N: (GOT) fully read-only. The bindnow feature trades startup time for N: improved security. Please consider enabling this feature or consider N: overriding the tag (possibly with a comment about why). N:···· N: If you use dpkg-buildflags, you may have to add hardening=+bindnow or N: hardening=+all to DEB_BUILD_MAINT_OPTIONS. N:···· N: The relevant compiler flags are set in LDFLAGS. N:···· N: Refer to https://wiki.debian.org/Hardening for details. N:···· N: Severity: wishlist, Certainty: certain N:···· N: Check: binaries, Type: binary, udeb N:· I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 lengH length N:· N: Lintian found a spelling error in the given binary. Lintian has a list N: of common misspellings that it looks for. It does not have a dictionary N: like a spelling checker does. N:···· N: If the string containing the spelling error is translated with the help N: of gettext or a similar tool, please fix the error in the translations N: as well as the English text to avoid making the translations fuzzy. With N: gettext, for example, this means you should also fix the spelling N: mistake in the corresponding msgids in the *.po files. N:···· N: You can often find the word in the source code by running: N:···· N: grep -rw <word> <source-tree> N:···· N: This tag may produce false positives for words that contain non-ASCII N: characters due to limitations in strings. N:···· N: Severity: minor, Certainty: wild-guess N:···· N: Check: binaries, Type: binary, udeb N:· I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 ment meant I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 fetaures features I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 Dont Don't I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 explict explicit I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 occured occurred I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 signficant significant I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 unrecogized unrecognized I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 emtpy empty I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 indeces indices I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 reserverd reserved I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 doesnt't doesn't I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 timout timeout I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 UNKOWN UNKNOWN I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 ofthe of the I: libqt5webengine5: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 befor before E: libqt5webengine5: embedded-library usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1: sqlite N:· N: The given ELF object appears to have been statically linked to a N: library. Doing this is strongly discouraged due to the extra work needed N: by the security team to fix all the extra embedded copies or trigger the N: package rebuilds, as appropriate. N:···· N: If the package uses a modified version of the given library it is highly N: recommended to coordinate with the library's maintainer to include the N: changes on the system version of the library. N:···· N: Refer to Debian Policy Manual section 4.13 (Convenience copies of code) N: for details. N:···· N: Severity: serious, Certainty: possible N:···· N: Check: binaries, Type: binary, udeb N:· I: libqt5webengine5: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess N:· N: This package provides an ELF executable that was not compiled as a N: position independent executable (PIE). N:···· N: PIE is required for fully enabling Address Space Layout Randomization N: (ASLR), which makes "Return-oriented" attacks more difficult. N:···· N: Historically, PIE has been associated with noticeable performance N: overhead on i386. However, GCC-5 has implemented an optimization that N: can reduce the overhead significantly. N:···· N: If you use dpkg-buildflags, you may have to add hardening=+pie or N: hardening=+all to DEB_BUILD_MAINT_OPTIONS. N:···· N: The relevant compiler flags must be passed both to the compiler and the N: linker (e.g. for C that would be commonly be CFLAGS and LDFLAGS). N:···· N: CAVEAT: Please keep in mind that the PIE flag (-fPIE) is not suitable N: for all cases: N:···· N: * It is <not> compatible with -fPIC which required for N: compiling shared libraries. N: * It is unlikely to work when compiling static libraries or N: executables (gcc -static). N:···· N: If your upstream build compiles either of the above, you may have to N: patch the build to ensure that only ELF executables are compiled with N: PIE. N:···· N: Refer to https://wiki.debian.org/Hardening, N: https://gcc.gnu.org/gcc-5/changes.html, and N: https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode N: for details. N:···· N: Severity: wishlist, Certainty: certain N:···· N: Check: binaries, Type: binary, udeb N:· I: libqt5webengine5: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess W: libqt5webengine5: copyright-refers-to-deprecated-bsd-license-file I: libqt5webengine5: arch-dep-package-has-big-usr-share 23375kB 25% N:· N: The package has a significant amount of architecture-independent data N: (over 4MB, or over 2MB and more than 50% of the package) in /usr/share N: but is an architecture-dependent package. This is wasteful of mirror N: space and bandwidth since it means distributing multiple copies of this N: data, one for each architecture. N:···· N: If the data in /usr/share is not architecture-independent, this is a N: Policy violation that should be fixed by moving the data elsewhere N: (usually /usr/lib). N:···· N: Refer to Debian Developer's Reference section 6.7.5 N: (Architecture-independent data) for details. N:···· N: Severity: wishlist, Certainty: certain N:···· N: Check: huge-usr-share, Type: binary N:· I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngineCore.so.5.6.1 N:· N: Although the package includes a shared library, the package does not N: have a symbols control file. N:···· N: dpkg can use symbols files in order to generate more accurate library N: dependencies for applications, based on the symbols from the library N: that are actually used by the application. N:···· N: Refer to the dpkg-gensymbols(1) manual page and N: https://wiki.debian.org/UsingSymbolsFiles for details. N:···· N: Severity: wishlist, Certainty: certain N:···· N: Check: shared-libs, Type: binary, udeb N:· I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngine.so.5.6.1 I: libqt5webengine5: no-symbols-control-file usr/lib/x86_64-linux-gnu/libQt5WebEngineWidgets.so.5.6.1 W: qtwebengine5-doc-html: copyright-refers-to-deprecated-bsd-license-file I: qml-module-qtwebengine: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/qml/QtWebEngine/experimental/libqtwebengineexperimentalplugin.so I: qml-module-qtwebengine: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/qml/QtWebEngine/libqtwebengineplugin.so W: qml-module-qtwebengine: copyright-refers-to-deprecated-bsd-license-file I: qt5webengine-examples: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/examples/webengine/minimal/minimal I: qt5webengine-examples: hardening-no-bindnow usr/lib/x86_64-linux-gnu/qt5/examples/webengine/minimal/minimal I: qt5webengine-examples: hardening-no-pie usr/lib/x86_64-linux-gnu/qt5/examples/webengine/quicknanobrowser/quicknanobrowser W: qt5webengine-examples: embedded-javascript-library usr/lib/x86_64-linux-gnu/qt5/examples/webenginewidgets/contentmanipulation/jquery.min.js please use libjs-jquery N:· N: This package contains an embedded copy of JavaScript libraries that are N: now available in their own packages (for example, JQuery, Prototype, N: Mochikit or "Cropper"). Please depend on the appropriate package and N: symlink the library into the appropriate location. N:···· N: Refer to Debian Policy Manual section 4.13 (Convenience copies of code) N: for details. N:···· N: Severity: normal, Certainty: possible N:···· N: Check: files, Type: binary, udeb N:· W: qtwebengine5-doc: copyright-refers-to-deprecated-bsd-license-file W: libqt5webengine5-dev: copyright-refers-to-deprecated-bsd-license-file I: libqt5webengine5-dev: package-contains-empty-directory usr/include/x86_64-linux-gnu/qt5/QtWebEngineWidgets/5.6.1/ N:· N: This package installs an empty directory. This might be intentional but N: it's normally a mistake. If it is intentional, add a lintian override. N:···· N: If a package ships with or installs empty directories, you can remove N: them in debian/rules by calling: N:···· N: $ find path/to/base/dir -type d -empty -delete N:···· N: Severity: wishlist, Certainty: possible N:···· N: Check: files, Type: binary, udeb