Release notes entry for web browser security support

Moritz Mühlenhoff jmm at inutil.org
Wed Feb 2 20:01:44 UTC 2011 

On Wed, Feb 02, 2011 at 07:33:27PM +0100, Julien Cristau wrote:
> On Mon, Jan 10, 2011 at 20:56:01 +0100, Moritz Muehlenhoff wrote:
> 
> > State of browser support
> > 
> > Debian Squeeze includes several browser engines which are affected by a frequent
> > stream of security vulnerabilities. The high rate of vulnerabilities
> > and lack of upstream support in the form of long term branches make it
> > close to impossible to support these browsers with backported security
> > fixes. Additionally, library interdepencies make it impossible to update to newer
> > upstream releases. As such, browsers built upon the webkit, qtwebkit
> > and khtml engines are included in Squeeze, but not covered by full security 
> > support. We will make an effort to track down and backport security fixes,
> > but in general these browsers should not be used against untrusted websites.
> > 
> > For general web browser use we recommend browsers building on the 
> > Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner
> > has had a history of good backportability for older releases over the
> > previous release cycles.
> > 
> > Chromium - while build upon the Webkit codebase - is a leaf package, i.e.
> > if backporting becomes no longer feasible, there's still the possibility of
> > upgrading to a later upstream release (which is not possible for the
> > webkit library itself).
> > 
> Should I include this in the release notes then, or does the webkit part
> need changes?

Slightly modified (including the fact that there's in fact a LTS branch 
by Collabora and Red Hat):

---
Debian Squeeze includes several browser engines which are affected
by a frequent stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of
long term branches make it very difficult to support these browsers
with backported security fixes. Additionally, library interdepencies
make it impossible to update to newer upstream releases. As such,
browsers built upon the qtwebkit and khtml engines are included in
Squeeze, but not covered by full security support. We will make an
effort to track down and backport security fixes, but in general
these browsers should not be used against untrusted websites.

For general web browser use we recommend browsers building on the
Mozilla xulrunner engine (Iceweasel and Iceape), browsers based on
the Webkit engine (e.g. Epiphany) or Chromium. Xulrunner
has had a history of good backportability for older releases over
the previous release cycles.

Chromium - while build upon the Webkit codebase - is a leaf package,
i.e. if backporting becomes no longer feasible, there's still the
possibility of upgrading to a later upstream release (which is not
possible for the webkit library itself).

Webkit is supported by upstream with a long term maintenance branch.
---

Cheers,
        Moritz

More information about the Pkg-webkit-maintainers mailing list