[Secure-testing-team] On the supportability of webkit

[Mike Hommey]

On Mon, Dec 21, 2009 at 06:10:08PM +0100, Yves-Alexis Perez wrote:
> Michael Gilbert a écrit :
> > Hi all,
> > 
> > The number of open CVEs for webkit during lenny's lifetime so far has
> > been incredibly high. Only rivaled by openjdk and the kernel (at
> > times), but those seem to get updates reasonably fast even though there
> > are a large number.  Guisseppe has done some good work fixing a large
> > number of webkit issues recently, which is great, but still another 19
> > remain.
> > 
> > The root of this problem is that debian does not have access to apple's
> > private security list [0].  The thing is that they have already offered
> > access in the past (to anyone with a debian.org address) [1], but no one
> > stepped up to the plate.  I would take on the responsibility, but I am
> > not a DD.
> > 
> > So, I think at this point, webkit should be strongly considered for
> > removal in the next lenny point release (because I don't forsee things
> > getting any better any time soon), and possibly from squeeze as well.
> > However, this concern could be rendered moot should someone volunteer
> > to gain access to the private webkit list.
> 
> Were the webkit maintainers aware of that proposal?

No, and the main problem with webkit is that a lot of the CVE that are
supposedly affecting it are OSX-only or Safari-only issues. There is a
huge lack of *webkit* security tracking upstream.

Gustavo, since you are involved upstream, do you know if things are
moving for that ?

Mike

PS: removing webkit from squeeze is something that will not work. It
would remove important gnome applications.