[Secure-testing-team] On the supportability of webkit

Michael Gilbert michael.s.gilbert at gmail.com
Tue Dec 22 00:02:44 UTC 2009


On Mon, 21 Dec 2009 18:10:08 +0100 Yves-Alexis Perez wrote:

> Michael Gilbert a écrit :
> > Hi all,
> > 
> > The number of open CVEs for webkit during lenny's lifetime so far has
> > been incredibly high. Only rivaled by openjdk and the kernel (at
> > times), but those seem to get updates reasonably fast even though there
> > are a large number.  Guisseppe has done some good work fixing a large
> > number of webkit issues recently, which is great, but still another 19
> > remain.
> > 
> > The root of this problem is that debian does not have access to apple's
> > private security list [0].  The thing is that they have already offered
> > access in the past (to anyone with a debian.org address) [1], but no one
> > stepped up to the plate.  I would take on the responsibility, but I am
> > not a DD.
> > 
> > So, I think at this point, webkit should be strongly considered for
> > removal in the next lenny point release (because I don't forsee things
> > getting any better any time soon), and possibly from squeeze as well.
> > However, this concern could be rendered moot should someone volunteer
> > to gain access to the private webkit list.
> 
> Were the webkit maintainers aware of that proposal?

Not yet.  I wanted to start a conversation with the security team
first to determine a direction.  The ideal solution is simple since the
upstream webkit security team will grant anyone with a debian.org
address access to their private security list.  So, we just need
someone to volunteer to do that.  Any takers?

Mike



More information about the Pkg-webkit-maintainers mailing list