One of the most frequent questions about Qt WebEngine is about the pace of updates of Chromium. The shortest one would be just like "When do we get the next Chromium in Qt?". Well, there are a few elements in this which make this question a matter of perspective. I once thought, I should put all elements on a timeline to sort that for me and hopefully for you in a more explanatory form.
I said "a more explanatory form", because the Qt documentation of the Qt WebEngine actually describes the pace of these updates since the Qt 6.5 release in a brief form:
"The Chromium version used is the one used by the latest stable Chrome version at the time of Qt feature freeze for the current version of Qt WebEngine. Additional security patches are cherry picked from newer Chrome releases on every patch release, security patches released in time for the Qt patch release freeze will be included. If Chrome releases critical fixes outside our release window, the next patch release is sped up to ensure a patched Qt WebEngine is released before the patch details goes public.
If you need a newer Qt WebEngine beyond security fixes, and can not update all of Qt, Qt WebEngine supports building with older version of Qt back to the last Qt LTS. For instance Qt WebEngine 6.3, 6.4, and 6.5 can all be built with Qt 6.2. In Qt LTS releases, Qt WebEngine may be fully replaced with such a newer version to make security patching easier".
You can find this in "Qt WebEngine" -> "Qt WebEngine Overview" , and then the section "Qt WebEngine Core Module".
I thought I better make a picture with a timeline, use Qt 6.5 as a reference, and see what is going on. Before we have a look at this, lets see what the pulse of releases in the Chromium project is.
Here, it is important to keep mind that "Chromium" is the open source project which develops and releases "Chromium" as a core browser technology. It is not the same as "Chrome" which if often used as a short name of "Google Chrome" browser. Chromium provides a large part of the Google Chrome browser, but some features are only available in Chrome. Chromium is also used in other projects and products, including the Qt Project with Qt WebEngine in Qt 5.2 and later. Due to the tight historical relationship between "Chromium" and "Chrome", these names are still intermixed on many various places in the online documentation of "Chromium" and in other information sources.
The release cycle of Chromium is defined in the Chromium documentation under "Chrome Release Cycle" and can be followed on the page "Schedule". The Chromium project releases a new version of Chrome all four weeks. Each second release is an "LTS" release and it lasts twice as long: eight weeks. There are no "feature releases", "bug fix releases", nor any sort of "security hot fixes" published separately. It is a single stream of constant updates coming on a fast pace. The Qt WebEngine uses the regular release cycle of Chromium, since the "LTS" cycle of eight weeks does not bring any additional value in context of Qt releases. Still, in addition, the Qt WebEngine development team watches the ongoing works in Chromium including its security mailing list. The team selects a specific Chromium release to be taken into Qt WebEngine as next. We believe that this brings more value to Qt users.
The picture below outlines a series of Qt and Qt WebEngine releases placed on a timeline. It has additional marks for some specific events. The text below is split into (a-f) sections related to that event marks on the picture. See the legend for other details.
Lets walk along the timeline and review what happens at a given event mark.
(a) Qt Releases
Lets take the Qt 6.5 as a base. Qt 6.5.0 was released in the Spring of 2023. It will become LTS sometime in the future. In this picture, the green boxes stand for releases shipped in the Qt Installer as pre-built binary packages. Qt WebEngine is listed in Qt Installer as an entry in the "Additional Libraries" section under a given Qt version section.
(b) Qt WebEngine and intakes from Chromium
The Qt WebEngine is integrated as a git sub-module in the Qt git repository. This repository follows the pulse of Qt branching and naming. When Qt starts a release branch, lets say, 6.5.0, the same happens for Qt WebEngine. Most lines of code in the Qt WebEngine repository are actually from Chromium
Integration of new Chromium versions is an important and complex work for Qt WebEngine. A new major version of Chromium is always used and set at the time of Feature Freeze in Qt. The blue arrows mark this on the picture. Additionally, the team follows the security mailing list in the Chromium project and back-ports security patches if required for a given Chromium baseline used the Qt WebEngine baseline. The intakes of these security patches are shown as red arrows. They happen on an irregular basis, depedending on security assessments in the Chromium project.
As mentioned in the Qt documentation, the used main version of Chromium as well as the reference to latest security patches can be looked up either programmatically, via API, or in the file CHROMIUM_VERSION file in the top-level folder of the Qt WebEngine repository. In Qt 6.5.0, it is Chromium 108.0.5359.181 with security patches from Chromium 110.0.5481.104:
➜ qtwebengine git:(6.5.0) ✗ cat CHROMIUM_VERSION
Based on Chromium version: 108.0.5359.181
Patched with security patches up to Chromium version: 110.0.5481.104
In Qt 6.5.1, it is Chromium 108.0.5359.181 (the same; continue reading to learn why) with security patches from Chromium 112.0.5615.138 (upgraded). Now, you could ask, why those numbers are so different if Qt 6.5.1 is just a patch release of Qt 6.5. This is because Chromium 108.0.5359.181 was integrated at the time point of Qt 6.5 feature freeze and so long before 6.5.0. At the release time of 6.5.0, the security patches from Chromium 110.0.5481.104 were used to update the Chromium for the release of Qt 6.5.0. Later, with Qt 6.5.1, the security patches as of 112.0.5615.138 were taken in. So, they basically include all other eventual security patches between 110.0.5481.104 (in 6.5.0) and 112.0.5615.138 (in 6.5.1). So, if the IT-Security folks from your company or from your customer ask you which version of Chromium is running in your app, you can refer to this number.
(c) Update of the Qt WebEngine
This point marks the feature freeze of Qt 6.6 and, certainly, of Qt WebEngine as well. Like in any other minor release, Qt WebEngine will move onto a new Chromium release. The exact Chromium version will be updated by the time of the release of 6.6.0. This will form the Qt WebEngine 6.6 which will be provided with the Qt 6.5.x releases. For the first time, this will be with the next bug fix release Qt 6.5. With this, a Qt 6.5 installation from the Qt Installer would also get a newer Chromium baseline version as well as all recent security patches, making it at the same level as the Chromium in Qt WebEngine in Qt 6.6.x. With this, if you keep updating updating Qt 6.5 in your application to its newer bug fix releases, your application will also get all Chromium security fixes from the Qt WebEngine 6.6.x.
(d) Updates continue
This point is comparable to the point (c) in general. Updates continue with Qt 6.7 and Qt WebEngine 6.7. Notably, as the picture shows, the builds of Qt WebEngine 6.7 are not provided with the Qt 6.6.x in the Qt Installer, but they are provided with the Qt 6.5.x since it is an LTS release. Nevertheless, the Qt WebEngine 6.7 should build and run well with Qt 6.6.x, but this is not tested on Qt CI. The Qt 6.5 LTS provides a baseline with ongoing Chromium updates, including the security-relates ones.
(e) The next Qt release which will be LTS some time in the future
Qt 6.8 will be the next LTS release after Qt 6.5. At this stage, the process remains the same as described above, but then the (f) comes...
(f) The new regular release comes
This point brings differences, since it marks the start of a new cycle of upgrades of Qt WebEngine, which basically would repeat all the principles of the process shown on the picture. Since Qt 6.9 corresponds to Qt 6.8 in terms of our process in the same way as Qt 6.6 did to 6.5, the new Chromium from Qt WebEngine 6.9 would only go to Qt 6.8 but not to Qt 6.5 on a regular basis. Still, in case of very important security fixes, we will update Qt 6.5 LTS as well. This was not needed in the past, thought. The pricinples of intakes of Chromium and its versioning remain the same in general.
Summary
The update cycle for Qt WebEngine is outlined in the Qt Docs and discussed in this blog post to explain how Qt ships updated Chromium and its security fixes with updated Qt WebEngine for the lifetime of Qt LTS releases. Qt users can build a newer Qt WebEngine on top of a Qt build. Not all technically possible combinations are not provided via the Qt Installer, nor tested in CI. Due to this, the scope of formal Support is limited to versions which are provided in the Qt Installer. Each next cycle of this update process starts with first Qt release after an LTS release. Qt users should plan to update to a new Qt LTS releases promptly. This ensures continuity in updates of Chromium over a longer period of time.
