Re: Bug#1057755: Qt WebEngine Security Support In Stable

To: Dmitry Shachnev <mitya57@debian.org>
Cc: Adrian Bunk <bunk@debian.org>, 1057755@bugs.debian.org, Patrick Franz <deltaone@debian.org>, Alberto Garcia <berto@igalia.com>, Debian UBports Team <team+ubports@tracker.debian.org>, Debian Release Team <debian-release@lists.debian.org>, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Debian Security Team <security@debian.org>, Pirate Praveen <praveen@debian.org>, Nilesh Patra <nilesh@debian.org>, Aurélien COUDERC <coucouf@debian.org>, Fritz Reichwald <reichwald@b1-systems.de>, Mike Gabriel <sunweaver@debian.org>, Thomas Goirand <thomas@goirand.fr>
Subject: Re: Bug#1057755: Qt WebEngine Security Support In Stable
From: Soren Stoutner <soren@stoutner.com>
Date: Thu, 21 Dec 2023 12:48:44 -0700
Message-id: <[🔎] 2258281.EXn5XjvLSS@soren-desktop>
In-reply-to: <[🔎] ZYQMtzC7GC3dwO3l@mitya57.me>
References: <170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com> <[🔎] 2401151.SSZU2zEttN@soren-desktop> <[🔎] ZYQMtzC7GC3dwO3l@mitya57.me>

On Thursday, December 21, 2023 3:00:23 AM MST Dmitry Shachnev wrote:
> Just one particular class (QQuickWebEngineDownloadItem) is private. My guess
> is that it’s upstream oversight, because upstream documentation even 
mentions
> that one needs to call QWebEngineDownloadRequest::accept() [1], yet calling
> that method is not possible without including a private header.
> 
> [1]: https://doc.qt.io/qt-6/qquickwebengineprofile.html#downloadRequested

There is both a public and a private version of the header for this class, 
similar to a lot of classes in Qt WebEngine.

The public versions of this header are contained in `qquickwebengineprofile.h` 
and `qwebenginedownloadrequest.h` in the qt6-webengine-dev package.

The private versions of this header are contained in 
`qquickwebengineprofile_p.h` and `qquickwebenginedownloadrequest_p.h` in the 
qt6-webengine-private-dev package.

On the C++ side, the public versions of these headers are contained in 
`qwebengineprofile.h` and `qwebenginedownloadrequest.h` (note how both versions 
end up depending on the same `qwebenginedownloadrequest.h` where all of the 
real logic resides) in the qt6-webengine-dev package.

The private version of the C++ header are contained in `qwebengineprofile_p.h` 
and `qwebenginedownloadrequest_p.h` contained in the qt6-webengine-private-dev 
package.

It isn’t clear to me why Qt feels the need to have private headers that mirror 
their public headers for many of their functions.  And there may be some way 
in which Qt borked their public QML implementation of this particular class in 
such a way that one really does need to depend on the private headers (in 
which case, as Dmitry has pointed out, they would probably be very willing to 
fix it if it was reported to them).  But from what I can see by reviewing the 
code (without taking the time to actually build a project and test it out 
myself) it ought to be possible for Angelfish to just switch to using the 
public headers.

-- 
Soren Stoutner
soren@stoutner.com

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Bug#1057755: Qt WebEngine Security Support In Stable
  - From: Dmitry Shachnev <mitya57@debian.org>

References:
- Re: Bug#1057755: Qt WebEngine Security Support In Stable
  - From: Soren Stoutner <soren@stoutner.com>
- Re: Bug#1057755: Qt WebEngine Security Support In Stable
  - From: Dmitry Shachnev <mitya57@debian.org>

Prev by Date: Re: /usr-move: Do we support upgrades without apt?
Next by Date: Re: /usr-move: Do we support upgrades without apt?
Previous by thread: Re: Bug#1057755: Qt WebEngine Security Support In Stable
Next by thread: Re: Bug#1057755: Qt WebEngine Security Support In Stable
Index(es):
- Date
- Thread