WebKitGTK+ security and Debian
Emilio Pozuelo Monfort
pochu at debian.org
Mon Feb 22 18:29:27 UTC 2016
On 21/02/16 13:51, Alberto Garcia wrote:
> as you all know, WebKitGTK+ does not receive security updates in
> The reason for that is the lack of security support from upstream and
> the difficulty of making backports.
> I believe that this is no longer true.
> It's been already a while since the WebKitGTK+ team has access to the
> upstream security bugs and CVE numbers, and security advisories are
> being published since January 2015:
> Upstream also has a policy of being conservative with the build
> dependencies so newer releases can be built in older operating
> I thinks that it should be possible for Debian to provide security
> updates for WebKitGTK+ again. What we cannot provide is backports
> of individual fixes, but encourage people to switch to the latest
> upstream version instead.
> Further reading:
> What do you people think?
I agree. It'd be good to at the very least, update to point releases in stable,
as you did with 2.4.9. Upgrading to a major version, e.g. doing webkit2gtk 2.6.x
-> 2.10.x would be more problematic as there is potential to break the rdeps. I
don't think the SRMs would approve that.
We could provide new major versions in -backports though, at least to see if we
get any feedback.
More information about the Pkg-webkit-maintainers