GNOME Epiphany -> Web package branding and default inclusion in Debian GNOME
Alberto Garcia
berto at igalia.com
Tue Jan 3 21:55:58 UTC 2017
Hey, sorry for the late reply, I was on my Christmas break :)
On Mon, Dec 26, 2016 at 05:38:40PM +0100, Laurent Bigonville wrote:
> The problem actually comes from webkit2gtk that is/was not providing
> stable security updates (this might have changed recently) and the
> debian security team is not happy with that situation especially
> with that kind of project.
WebKitGTK+ does provide security updates in the stable branch. What it
doesn't do (and probably never will) is to make releases with security
updates only. I believe this is more or less the same that happens
with Firefox or Chromium. More information here:
https://blogs.gnome.org/mcatanzaro/2016/02/19/webkitgtk-gets-security-updates/
https://blogs.gnome.org/mcatanzaro/2016/03/30/positive-progress-on-webkitgtk-security-updates/
WebKitGTK+ is also very conservative with its build dependencies, and
as matter of fact I can build the latest development version in jessie
(and probably wheezy?) without problems. I've been taking care of the
backports for jessie for a few months now.
> >Can we please make GNOME Web installed by default when using the
> >GNOME environment?
>
> We'll have to see the kind guarantee upstream (I added Alberto who
> is taking care of webkitgtk in debian) can offer regarding the
> security updates and also discuss with the release and security
> teams in debian before this could happen. To that we also need to
> take into account that the freeze will happen soon.
It's theoretically possible to update to the most recent stable
version of WebKitGTK+ every time there's a security bug the same way
we do with Firefox ESR.
There's one important thing to take into account however: when you
upgrade WebKitGTK+ to the latest stable you get all kind of fixes,
not just for security bugs. So while I don't think build dependencies
are going to be a problem, there's always the possibility of bringing
regressions. A regression in Firefox ESR is bad, but it only breaks
the browser. WebKitGTK+ is a shared library, so a regression can
potentially break several packages.
Berto
More information about the pkg-gnome-maintainers
mailing list