Docs: Minimum required dependencies and current CVEs #8639

issue fanquake opened this issue on September 1, 2016
  1. fanquake commented at 12:05 AM on September 1, 2016: member

    Requested by @laanwj in #8423 (which addresses some of these by upgrading packages) + #8923.

    This should probably be a new file in doc/, as it is not specific to any one platform. Also checks in configure.ac would need to be added to check if these versions are present.

    Dependancy Version used Minimum Required Latest available CVEs? Shared Bundled Qt Library
    libevent 2.1.11-stable 2.0.22 2.1.12-stable No
    Qt 5.9.8 5.5.1 6.0.0 No
    Freetype 2.7.1 2.10.4 No
    Boost 1.70.0 1.58.0 1.75.0 No
    Zeromq (optional) 4.3.1 4.0 4.3.3 Yes
    miniupnpc (optional) 2.0.20180203 2.2.1 No
    qrencode (optional) 3.4.4 4.1.1 No
    berkeley-db 4.8.30 4.8.x 18.1.40 No
    expat 2.2.7 2.2.10 Yes Yes
    fontconfig 2.12.1 2.13.1 No Yes
    freetype no (linux uses system)
    zlib 1.2.11 1.2.11 no
    libpng yes
    PCRE yes
    xcb yes (linux only)
    xkbcommon yes (linux only)
    HarfBuzz-NG ?
    Python (tests) 3.6 3.9.1
    GCC 7+ (C++17) 10.2
    Clang 5.0+ (C++17) 11.0.0
  2. luke-jr commented at 12:16 AM on September 1, 2016: member

    We don't support Qt 4 in depends/ AFAIK?

  3. theuni commented at 12:17 AM on September 1, 2016: member

    Thanks, nice initiative.

    dbus, fontconfig, and expat are all built as shared libs. That means we don't distribute them, and users load their own versions at runtime. a grep in depends for "disable-static" should turn up most/all of these. Also, we no longer use qt4, that .mk should just be deleted.

    It's also worth noting that we use a bunch of built-in qt libs (libjpeg/libpng/etc). If the goal is to be able to enumerate CVEs that apply to our binaries, we should probably consider building those ourselves instead.

  4. fanquake commented at 2:49 AM on September 1, 2016: member

    Updated with the rest of our packages. Opened a PR to remove the Qt4 package.

  5. jonasschnelli commented at 6:37 AM on September 1, 2016: contributor

    Nice work! Thanks.

  6. droark commented at 4:16 PM on September 1, 2016: contributor

    Oooh, nice initiative. Good job.

  7. fanquake added the label Build system on Sep 2, 2016
  8. laanwj commented at 5:49 AM on September 22, 2016: member

    Thanks for making this list.

  9. laanwj commented at 5:52 AM on September 22, 2016: member

    It's also worth noting that we use a bunch of built-in qt libs (libjpeg/libpng/etc). If the goal is to be able to enumerate CVEs that apply to our binaries, we should probably consider building those ourselves instead.

    Image libraries are a grey area: it's hard to coerce bitcoin-qt to read resources from somewhere else than its own built-in resources (and if you manage to, it will only read from local disk). I don't think even a code execution vuln in libpng or libjpeg would be exploitable in practice.

    (though it may still make sense to include them in the list for completeness, I'm not arguing against that, but we certainly don't have to do anything special for them)

  10. fanquake commented at 1:09 AM on September 27, 2016: member

    Updated the top comment now that #8423 has been merged.

  11. fanquake commented at 3:39 AM on October 5, 2016: member

    Cleaned up the messy list into a markdown table. Updated to reflect recent /depends/ merges.

  12. fanquake renamed this:
    [WIP] CVEs in depends packages
    CVEs in depends packages
    on Oct 5, 2016
  13. luke-jr commented at 5:53 AM on October 5, 2016: member

    I suggest splitting out the ones we only use as shared libs, since it doesn't matter if they have vulnerabilities, but it does potentially matter if they're too new (since that could result in incompatible ABIs).

  14. fanquake commented at 6:45 AM on October 5, 2016: member

    Updated to show which are shared libraries, as well as added all the built-in Qt libraries we're using.

  15. fanquake renamed this:
    CVEs in depends packages
    [Docs] Minimum required dependencies and current CVEs
    on Jan 12, 2017
  16. fanquake added the label Docs and Output on Jan 12, 2017
  17. fanquake commented at 2:19 AM on January 12, 2017: member

    I've updated this to reflect recent changes to the depends system, as well as bring in minimum required dependency versions, some of which came from #8923.

  18. laanwj commented at 7:13 AM on January 12, 2017: member

    @fanquake Thanks for the updates!

  19. droark commented at 7:51 AM on January 12, 2017: contributor

    Hello. Regarding whether or not there's a minimum Qt5 version, based off what I know (which could easily be wrong), there is none. I did a pull request where I could've tried to code three different paths based on the version of Qt used. @theuni kinda sorta maybe said versions <5.2 could be ignored but I'm not sure how much should be invested in that statement.

    Does this help in any way? Whether or not it does, it would be nice to establish a Qt5 minimum, and possibly think about whether or not Qt4 should still be supported.

  20. fanquake commented at 12:40 PM on February 16, 2017: member

    Updated with latest depends changes. Added zlib now that we are building it. Updated upstream versions where required.

  21. fanquake commented at 5:21 AM on May 13, 2017: member

    Updated to reflect recent depends updates and upstream releases.

  22. laanwj referenced this in commit f65614726d on Sep 7, 2017
  23. fanquake commented at 11:33 PM on November 25, 2017: member

    Updated to reflect the latest upstream changes.

  24. fanquake commented at 12:25 AM on June 19, 2018: member

    Updated to reflect current upstream versions, as well as the impending qt5+ requirement.

  25. fanquake deleted a comment on Nov 26, 2018
  26. fanquake deleted a comment on Nov 26, 2018
  27. fanquake renamed this:
    [Docs] Minimum required dependencies and current CVEs
    Docs: Minimum required dependencies and current CVEs
    on Dec 9, 2018
  28. fanquake commented at 5:27 AM on January 1, 2019: member

    Updated to account for upstream changes.

  29. fanquake commented at 12:49 AM on July 25, 2019: member

    This should be back up to date with all upstream changes.

  30. laanwj commented at 11:28 AM on November 19, 2019: member

    Please remove OpenSSL :smile:

  31. jarolrod commented at 1:59 AM on January 14, 2021: member

    @fanquake can this be closed since we have a dependencies.md

  32. fanquake closed this on Mar 16, 2021
  33. DrahtBot locked this on Aug 18, 2022
Contributors
fanquakeluke-jrtheunijonasschnellidroarklaanwjjarolrod
Labels
DocsBuild system
Linked (view graph)
#8423 [depends] expat 2.2.0, ccache 3.3.1, fontconfig 2.12.1#8640 [depends] Remove Qt46 package#8645 Remove unused Qt 4.6 patch.#8923 Need documentation on minimum supported dependency versions#10325 0.15.0 Depends Updates#10779 Create dependencies.md#13478 [RFC] gui: Minimum required Qt5#19667 build: set minimum required Boost to 1.58.0
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me