WebKitGTK+ security and Debian
Emilio Pozuelo Monfort
pochu at debian.org
Mon Feb 22 18:29:27 UTC 2016
On 21/02/16 13:51, Alberto Garcia wrote:
> Hi,
>
> as you all know, WebKitGTK+ does not receive security updates in
> Debian.
>
> The reason for that is the lack of security support from upstream and
> the difficulty of making backports.
>
> I believe that this is no longer true.
>
> It's been already a while since the WebKitGTK+ team has access to the
> upstream security bugs and CVE numbers, and security advisories are
> being published since January 2015:
>
> http://webkitgtk.org/security/WSA-2015-0001.html
>
> Upstream also has a policy of being conservative with the build
> dependencies so newer releases can be built in older operating
> systems.
>
> I thinks that it should be possible for Debian to provide security
> updates for WebKitGTK+ again. What we cannot provide is backports
> of individual fixes, but encourage people to switch to the latest
> upstream version instead.
>
> Further reading:
>
> https://blogs.gnome.org/mcatanzaro/2016/02/19/webkitgtk-gets-security-updates/
>
> What do you people think?
I agree. It'd be good to at the very least, update to point releases in stable,
as you did with 2.4.9. Upgrading to a major version, e.g. doing webkit2gtk 2.6.x
-> 2.10.x would be more problematic as there is potential to break the rdeps. I
don't think the SRMs would approve that.
We could provide new major versions in -backports though, at least to see if we
get any feedback.
Cheers,
Emilio
More information about the Pkg-webkit-maintainers
mailing list