Bug#855048: qgis: Ships an unsupported copy of QtWebkit in public Python path without any transition
Bas Couwenberg
sebastic at xs4all.nl
Mon Feb 13 15:17:19 UTC 2017
Control: severity -1 important
On 2017-02-13 15:57, Raphaël Hertzog wrote:
> python-qt4 dropped support for QtWebkit it's because it was not
> possible to provide security support for it (cf #784514). You disabled
> that support in response to that bug.
>
> But later you decided to re-enable it using an embedded copy, the net
> result is that python-qgis is now shipping files that used to be
> shipped by python-qt4:
> /usr/lib/python2.7/dist-packages/PyQt4/QtWebKit.x86_64-linux-gnu.so
Yes, because QGIS without QtWebKit loses most plugins and other
functionality demanded by users.
> There are two problems:
>
> 1/ the upgrade is not safe, you can have conflicts with python-qt4 if
> python-qgis is upgraded before python-qt4 (even more likely in Kali
> where we kept QtWebkit a while longer in python-qt4)
Adding Breaks/Replaces is no problem.
> 2/ if QtWebkit cannot be suppported in python-qt4, it also cannot be
> supported in python-qgis
It doesn't have to be supported to be included.
> IMO you should disable that embedded copy usage or at least get a prior
> ack from the security team.
NAK, the QtWebKit support stays as it's in the interest of our users.
Upstream added the QtWebKit support for Python because the C++ package
(qtwebkit) is still available and only the in development 3.x branch of
QGIS has support for Qt5.
The debian-security-support package already warns about no security
support for qtwebkit so that doesn't change anything wrt QtWebKit
support in QGIS.
Kind Regards,
Bas
More information about the Pkg-grass-devel
mailing list