> -----Original Message----- > [...] > So why do we even ship 3rd parties with Qt in the current form if we > can't be bother to update them promptly (for bug fixes, security fixes, and > the like)? > Wouldn't it be better to just provide a script (cmake's external > project, recipe, conan build file, vcpkg, choco, WHATEVER) so that the > user can download the latest version of 3rd parties automatically? Or > just NOT provide them and push the problem onto the user?
Using a dependency manager is actually the plan: https://bugreports.qt.io/browse/QTBUG-73760 . Last year we looked into Conan for some third-party code, but didn't follow through on it yet, mostly due to just too many other things on the plate ... Note however, that most of the third-party code we have right now are not standalone libraries that can easily be maintained and built outside of Qt. So https://doc.qt.io/qt-6/licenses-used-in-qt.html will still be a significant list for the foreseeable future, and we should treat security issues in them the same way we treat security issues in Qt code. Regards Kai PS: Giuseppe, something in your mails tells Outlook to only to reply to you personally, and not to the list, even if I use Reply to All. Other mails are not affected... _______________________________________________ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development