[Secure-testing-team] On the supportability of webkit
michael.s.gilbert at gmail.com
Tue Dec 22 00:02:44 UTC 2009
On Mon, 21 Dec 2009 18:10:08 +0100 Yves-Alexis Perez wrote:
> Michael Gilbert a écrit :
> > Hi all,
> > The number of open CVEs for webkit during lenny's lifetime so far has
> > been incredibly high. Only rivaled by openjdk and the kernel (at
> > times), but those seem to get updates reasonably fast even though there
> > are a large number. Guisseppe has done some good work fixing a large
> > number of webkit issues recently, which is great, but still another 19
> > remain.
> > The root of this problem is that debian does not have access to apple's
> > private security list . The thing is that they have already offered
> > access in the past (to anyone with a debian.org address) , but no one
> > stepped up to the plate. I would take on the responsibility, but I am
> > not a DD.
> > So, I think at this point, webkit should be strongly considered for
> > removal in the next lenny point release (because I don't forsee things
> > getting any better any time soon), and possibly from squeeze as well.
> > However, this concern could be rendered moot should someone volunteer
> > to gain access to the private webkit list.
> Were the webkit maintainers aware of that proposal?
Not yet. I wanted to start a conversation with the security team
first to determine a direction. The ideal solution is simple since the
upstream webkit security team will grant anyone with a debian.org
address access to their private security list. So, we just need
someone to volunteer to do that. Any takers?
More information about the Pkg-webkit-maintainers