WebKitGTK+ security and Debian

Emilio Pozuelo Monfort pochu at debian.org
Mon Feb 22 18:29:27 UTC 2016


On 21/02/16 13:51, Alberto Garcia wrote:
> Hi,
> 
> as you all know, WebKitGTK+ does not receive security updates in
> Debian.
> 
> The reason for that is the lack of security support from upstream and
> the difficulty of making backports.
> 
> I believe that this is no longer true.
> 
> It's been already a while since the WebKitGTK+ team has access to the
> upstream security bugs and CVE numbers, and security advisories are
> being published since January 2015:
> 
>    http://webkitgtk.org/security/WSA-2015-0001.html
> 
> Upstream also has a policy of being conservative with the build
> dependencies so newer releases can be built in older operating
> systems.
> 
> I thinks that it should be possible for Debian to provide security
> updates for WebKitGTK+ again. What we cannot provide is backports
> of individual fixes, but encourage people to switch to the latest
> upstream version instead.
> 
> Further reading:
> 
>    https://blogs.gnome.org/mcatanzaro/2016/02/19/webkitgtk-gets-security-updates/
> 
> What do you people think?

I agree. It'd be good to at the very least, update to point releases in stable,
as you did with 2.4.9. Upgrading to a major version, e.g. doing webkit2gtk 2.6.x
-> 2.10.x would be more problematic as there is potential to break the rdeps. I
don't think the SRMs would approve that.

We could provide new major versions in -backports though, at least to see if we
get any feedback.

Cheers,
Emilio



More information about the Pkg-webkit-maintainers mailing list