Security plan for webkit in wheezy

Michael Gilbert michael.s.gilbert at
Sun Feb 6 19:36:54 UTC 2011

On Tue, 1 Feb 2011 22:56:29 -0500 Michael Gilbert wrote:

> Since backporting security patches is a real pain, I was thinking that
> it may be wise to stick with the 1.2.x stable branch for as long as
> possible during the wheezy development cycle (preferably until the
> stable webkit series to be released with wheezy is ready or near
> ready).  Hence we can upload the same package to both stable-security
> and unstable at the same time; thus eliminating a lot of duplicate
> work.  In the meantime newer upstream series can be uploaded to
> experimental to appease those that need to be on the bleeding edge.
> I understand that this may have some undesired consequences since it
> may hold back packages that people want to move fast like epiphany.  But
> again, the newer release can be supported in experimental.  However, in
> terms of providing a "secure testing", I think this is necessary since
> webkit just has so many issues.
> In the meantime, I'm trying to push the debian-specific patches into
> the upstream stable release, and I'm going to try to get more involved
> in the stable release process there since there are still a bunch of
> security patches that need to get applied.
> Anyway, just something to think about.

Are there any thoughts on this idea?  Otherwise, I'd say lets just go
ahead and make this a quasi-formal plan for the near future.

So, unstable (and thus wheezy) will stay in sync with the 1.2.x
releases, and experimental will get the 1.3.x or greater releases
(even after upstream declares 1.3.x or 1.4.x stable).

Best wishes,

More information about the Pkg-webkit-maintainers mailing list