Bug#649625: unmaintained security-wise (again)

Moritz Muehlenhoff jmm at debian.org
Tue Nov 22 20:39:41 UTC 2011


Source: webkit
Severity: grave

Security support for webkit in Lenny was a total mess and we had 
to give up eventually. Prior to the Squeeze release it was stated that this
wouldn't happen again, since there was a long term maintenance
branch. 
This led to the following entry in the Squeeze release notes:
http://www.debian.org/releases/stable/i386/release-notes/ch-information.de.html#browser-security

Nine months later history repeats itself:
I have no idea, whether this LTS branch exists, but webkit is
- as in Squeeze - unmaintained wrt security updates.

We've had one DSA in March and the list of open security issues
is unmanageable. (This doesn't even include the huge list of
issues, which potentially affect webkit due to chromium code
heritage:
http://security-tracker.debian.org/tracker/status/undetermined)

So far, only two maintainer teams (essentially in both cases
a one-man show) have shown that they're able to sustainably
support a full featured browser with security updates;
iceweasel and chromium.

I guess the consequence is to pick one of the two as the 
default browser for Wheezy and to demote webkit as another
unsupported HTML render engine usable to render a HTML
help, but not for a full browser (just like khtml and qtwebkit)

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash





More information about the Pkg-webkit-maintainers mailing list