WebKitGTK+ security and Debian

Emilio Pozuelo Monfort pochu at debian.org
Thu Feb 25 20:05:29 UTC 2016

On 23/02/16 11:28, Alberto Garcia wrote:
> On Mon, Feb 22, 2016 at 07:29:27PM +0100, Emilio Pozuelo Monfort wrote:
>> I agree. It'd be good to at the very least, update to point releases
>> in stable, as you did with 2.4.9. Upgrading to a major version,
>> e.g. doing webkit2gtk 2.6.x -> 2.10.x would be more problematic as
>> there is potential to break the rdeps. I don't think the SRMs would
>> approve that.
> The idea is that the API is stable in order to keep the rdeps fine,
> but it's of course more risky than cherry picking one or two patches.

Yeah. My point is that a huge set of changes across major versions is more
likely to break rdeps than a few set of bug fixes across micro version updates.

For packages such as chromium or iceweasel that have no rdeps (except for e.g.
extensions) that is less of a problem than it is for a shared lib such as webkit
that could break GNOME 3.14 if webkit was upgraded to the version that is (will
be) usually shipped with GNOME 3.22. Maybe nothing would break, but I hope you
see my point :)

>> We could provide new major versions in -backports though, at least
>> to see if we get any feedback.
> I wonder btw if the switch to -dbgsym would get in the way:
> https://anonscm.debian.org/cgit/pkg-webkit/webkit.git/commit/?h=wk2/unstable&id=39d223f2934b3bab6c5e2501234ea34afb33ca0a
> What would we do in the backports? Disable the debug packages
> entirely?

Yeah, or revert that.


More information about the Pkg-webkit-maintainers mailing list