-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to Qt6 #211
Comments
I checked on Dec. 12th 2022 the current availability of the
Another good website for checking this is repology (compare, for example, with PySide6). |
For 0.4.1 we're aiming to make headway towards Qt6 support on Mac and Windows by direct bundling, with further testing and research for Linux distributions. Moving Linux distributions to Qt6 for 0.4.1 would be a stretch goal. |
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distro's packages, whereas with Linux and macOS our packaging process includes the shipped binaries. For more context, see: freedomofpress#211
PySide6 won't be available for Fedora distributions any time soon. So we need to find a way to bundle it into our Distributing Dangerzone RPMs with bundled PySide6Option A: bundling with
|
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distro's packages, whereas with Linux and macOS our packaging process includes the shipped binaries. For more context, see: freedomofpress#211
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distro's packages, whereas with Linux and macOS our packaging process includes the shipped binaries. For more context, see: freedomofpress#211
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distros' packages, whereas with Linux and macOS our packaging process includes the shipped binaries. Fixes #211
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distros' packages, whereas with Linux and macOS our packaging process includes the shipped binaries. Fixes #211
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distros' packages, whereas with Linux and macOS our packaging process includes the shipped binaries. Fixes #211
We're not yet adding them to Linux, since PySide6 is not yet available in Linux distros' packages, whereas with Linux and macOS our packaging process includes the shipped binaries. Fixes freedomofpress#211
Not sure this is fixed @apyrgio. Linux systems still run on it. |
Oh, good catch, this should have been a "Refs". |
As of 2023-06-13, I don't see any known distro, besides Alpine and Arch Linux that package PySide6. Also, the Qt5 support has officially ended in May 2023. Thankfully, MacOS and Windows builds use PySide6, but we immediately need to update our Debian/Fedora packages as well. Regarding @deeplow's comment above, I'd be more in favor of option C, as it doesn't affect the package creation of Dangerzone, and because we can always update the package irrespective of the Dangerzone releases. For reference, this is the way Arch Linux packages PySide6: https://gitlab.archlinux.org/archlinux/packaging/packages/pyside6/-/blob/main/PKGBUILD |
We had the same discussion on the SecureDrop Client side of things and decided that given that Debian is continuing to provide security updates, the migration timeline is not as critical as upstream EOL suggests, and we can wait until the Bookworm switchover: That said, I don't know if Fedora applies security updates in a similar manner after a project has reached EOL upstream (@legoktm, tagging in case you have insights on that). And of course there are other reasons to make everything consistent. |
Usually they do, but it can take longer, especially for the older supported release (currently F37). Looking at https://packages.fedoraproject.org/pkgs/qt5-qtbase/qt5-qtbase/fedora-38-updates.html and https://packages.fedoraproject.org/pkgs/qt5-qtbase/qt5-qtbase/fedora-37-updates.html the maintainer was applying security fixes from a month ago but that was also before the EOL, so it's unclear if they'll continue. (Also skimming those issues, none of them would have affected Dangerzone nor SDW AFAICT.) |
This has started biting us back in Dangerzone development since PySide2 stopped being supported on Fedora 39.
Since we already tackled this part we may now consider want to consider the possibility of shipping PySide6 with our own package. Either that or us maintaining the PySide6 package on fedora. |
SecureDrop stumbled upon a similar issue: freedomofpress/securedrop#6884. There a venv was used to ship newer versions of software that is unsupported by distros. |
It seems that shipping PySide6 is the best way forward, so I did a bit of research on what that means, what are the alternatives, and how we can actually do it. Interaction with Qt System LibrariesFirst thing I checked and want to address. I was afraid that providing a PySide6 package might break, if a Python binding points to a system Qt library that gets updated in the meantime. Thankfully, this is not the case. The PyPI version of PySide6 provides a This is further explained in https://doc.qt.io/qtforpython-6/quickstart.html:
I have tested this by removing any Qt system library from my dev environment, and just had PySide6 installed. Spinning up the Dangerzone GUI works! At the end of the day, I guess this is expected, since Dangerzone works on Windows/MacOS as well, which do not have any Qt system libraries. Note that in our development environment, we install a GUI-related Qt6 library ( Code VerificationOk, so we want to package PySide6. Let's assume that the Python wheel is the best candidate, since it contains the Qt libraries as well. Where do we download it from? How can we verify its contents?
So, we don't seem to have a way to verify Qt sources or binary packages via signatures (ideally), but we can use hashes provided by the maintainer and HTTPS (less ideal). On the other hand, that's kind of the current situation on Windows/MacOS. We rely on a TOFU model of trust, in broad strokes. That is, we assume that the file hashes we grab from PyPI and store in our Poetry lock file are correct the moment we update our Poetry lock file, and malicious interference can only take place and get detected afterwards. Ways to distribute PySide6There are various ways we can bring PySide6 into the user's environment. I've tried to evaluate those:
It seems that packaging PySide6 as a separate RPM gives us most control over the process, so we're going to evaluate this option first. Concerns1. What will happen if Fedora actually packages PySide6 after our package is out? This depends on which version they package:
In both cases, if another system package has PySide6 as a dependency and does not get the exact same version, this may lead to issues. It's good to make sure that we always work with the latest PySide6 version in any case. 2. How to build the package in a way that we install the necessary PySide6 requirements in the user's system (xkb, fonts, opengl)? My guess is we have to specify them manually. Probably best to figure out which are missing in a clean Fedora container. 3. The resulting package size is big, roughly 150MiB compressed. Can we make it smaller? My guess is that this is probably due to the bundled Qt libraries, since the same PySide2 package is ~7 MiB. We could probably remove the libraries that we are not using, but that could break any other program that attempts to import PySide6 (see 1). 4. PySide6's shared libraries are built with the manylinux project. Are they safe to be installed in the user's system? I've already seen that automatic dependency detection goes haywire once
This probably affects tools that do some sort of analysis on these libraries, but Dangerzone does not seem to be affected. 5. Is it worth building the package on our own, based on OpenSUSE's specfile? I guess that this will lead to a smaller package (because we will depend on the system Qt6 libraries), but this will resurface the concern regarding the divergence of the bindings and the system libraries, which I cannot answer yet confidently. |
tl;dr: Building PySide6 from source requires digging into their build files. It's not worth the hassle though, since PySide6 relies on private Qt6 APIs that can change at any moment, and can easily break the user's system in case of Qt6 updates. Building PySide6 from SourceWe have established that we can package PySide6 from a PyPI package, but this comes with some drawbacks:
So, it would be worth checking if building PySide6 from source will help alleviate these problems. I've used Fedora 39 as a build platform, and tried to follow the official instructions in Qt's site. I also consulted OpenSUSE's After hunting down missing packages and fixing some CMake problems, I'm currently stuck at the following error:
I believe this error is CMake-related because:
I could dig up further, but at this point I've allocated too much time on this simple task. Examining the (would-be) Final RPMWhile we haven't managed to build PySide6 from source and package it as an RPM, we can download the RPM from OpenSUSE's site, and examine it. PySide6 RPM requirements
I'd like to draw your attention to these requirements:
What do these requirements tell us? That the PySide6 package requires a Qt6 library that is compatible with the Qt 6.6 API, as well as the private Qt 6.6 API. This introduces two problems:
Bottom line is: offering a PySide6 package that relies on system Qt6 libraries is bound to break, and cause system updates to stall. Fixing it requires us to be alert of such changes and publish a new PySide6 package whenever that happens. |
Doesn't sound sustainable at all. |
It seems that Debian has backported some patches from PySide6 in their own PySide2 package, in order to make it work with Python 3.12. We have to wait and see if Fedora picks up on those patches and reinstates PySide2. We haven't tested rebuilding PySide2 in Fedora 39 with these patches, because they appeared after our packaging effort. We don't know if these patches can be cleanly applied to Fedora's PySide2 source, nor what happens if Qt5 gets updated after we publish a patched PySide2 (probably nothing because PySide2 development is stalled). In any case, we can revisit this solution if our wheel approach is less maintainable, and maybe offer it upstream as well. |
Quick update, Fedora Rawhide now provides |
Another important update: Fedora 40 now provides The only version that does not have |
Fedora 39 is officially EOL, and with that we can stop maintaining our own PySide6 package (see freedomofpress/maint-dangerzone-pyside6#5). This means we can drop the related checks from our repo. |
Mirroring freedomofpress/securedrop-client#1562:
We have a PR that already does this change but it is blocked on distros lacking Pyside6 (Qt6) packages.
The text was updated successfully, but these errors were encountered: