Release notes entry for web browser security support
Moritz Muehlenhoff
jmm at inutil.org
Mon Jan 10 23:40:42 UTC 2011
On Mon, Jan 10, 2011 at 11:12:39PM +0100, Josselin Mouette wrote:
> Heya,
>
> Le lundi 10 janvier 2011 à 20:56 +0100, Moritz Muehlenhoff a écrit :
> > As such, browsers built upon the webkit, qtwebkit
> > and khtml engines are included in Squeeze, but not covered by full security
> > support. We will make an effort to track down and backport security fixes,
> > but in general these browsers should not be used against untrusted websites.
>
> I was under the impression that upstream promised long-term maintenance
> for the webkit 1.2 branch. It is one of the reasons for which epiphany
> was kept as the default browser for GNOME. Is that no longer true?
I couldn't find that branch on http://trac.webkit.org/browser , but some
digging revealed that there's in fact a stable branch maintained elsewhere:
http://gitorious.org/webkitgtk/stable/commits/master
So I have to retract my statement on the lack of upstream support for
gtkwebkit. That's certainly a good thing.
But in still leaves us with the problem that webkit in Debian isn't maintained
properly. The last upload fixing security issues was 2.5 months ago and
we already have 51 unchecked issues potentially affecting webkit (since
they were reported/fixed for Chromium and many of these affect webkit) and
seven for which is has been verified that Squeeze's webkit is affected:
$ grep webkit CVE/list | grep unfixed | grep -v unimportant | wc -l
7
$ grep webkit CVE/list | grep
undetermined | wc -l
51
So people need to step forward and commit to maintenance, otherwise
we'll end up with the same situation as in Lenny.
Cheers,
Moritz
More information about the Pkg-webkit-maintainers
mailing list