Bug#863915: unblock: webkit2gtk/2.16.3-2

Thu Jun 1 21:15:23 UTC 2017

Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-CC: pkg-webkit-maintainers at lists.alioth.debian.org,
team at security.debian.org
Severity: normal

Please unblock package webkit2gtk for inclusion in Debian 9.0.

unblock webkit2gtk/2.16.3-2

Justification
------------------
Three known publicized security vulnerabilities have been fixed in
2.16.3: CVE-2017-2496, CVE-2017-2539 and CVE-2017-2510. For more
details about these and other recent security fixes, see [1].

webkit2gtk follows GNOME's Release Schedule (new major updates in
March and September with bugfix updates in between). The 2.14 series
is no longer supported and will not be updated to fix those or future
security vulnerabilities.

Background Info
------------------------
Sadly, Debian's security packaging infrastructure is not set up to
test this kind of update very well. To provide a reasonable balance
between security for Debian 9 users and API stability for apps, the
current proposal [2] is to use Debian's s-p-u procedures and get these
updates into Debian point releases. This is a huge improvement over
Debian 8 where webkitgtk got only one early update and webkit2gtk was
only updated through backports. [3] [4] [5]

To summarize a bit of the discussion on debian-devel, Ubuntu 16.04 LTS
has been receiving new webkit2gtk versions within about a week of
their release. Although regressions are possible, these have been
averted so far because Ubuntu tests the new major beta releases in the
development release of Ubuntu and because regressions are quickly
pointed out by users of more bleeding-edge distros (and these
regressions are quickly fixed!)

Nearly every major distro now packages new webkit2gtk versions like
Ubuntu does. Debian's well-justified reputation for security
excellence is at risk of being tarnished if Debian ends up keeping
webkit2gtk 2.14 for Debian 9's entire lifetime.

Fedora 25 (current stable) got this update on May 28. Ubuntu 16.04 LTS
and newer got the update on May 30.

Besides publishing regular CVEs, the webkit2gtk developers have
intentionally crafted their dependency policy to explicitly support
the lifetime of Debian stable releases. [6]

The output from debdiff is way too large to attach here and probably
would not end up being useful. I am attaching the diff of the debian/
directory.

Testing Done
-------------------
I installed libwebkit2gtk-4.0-37 2.16.3-2 (and its dependencies) from
unstable on my Debian stretch install. I verified that these apps
still work fine:
- evolution
- epiphany-browser
- gnome-online-accounts
- yelp

References
----------------
[1] https://webkitgtk.org/security.html
[2] https://lists.debian.org/debian-devel/2017/05/msg00378.html
[3] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.html#browser-security
[4] https://tracker.debian.org/media/packages/w/webkitgtk/changelog-2.4.9-1~deb8u1
[5] https://tracker.debian.org/pkg/webkit2gtk
[6] https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy

Thanks,
Jeremy Bicha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: webkit216.debdiff
Type: application/octet-stream
Size: 109226 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-webkit-maintainers/attachments/20170601/0402ed3d/attachment-0001.obj>