Bug#863915: unblock: webkit2gtk/2.16.3-2

Emilio Pozuelo Monfort pochu at debian.org
Fri Jun 2 08:27:34 UTC 2017 

Hi Jeremy,

On 01/06/17 23:15, Jeremy Bicha wrote:
> Please unblock package webkit2gtk for inclusion in Debian 9.0.
> 
> unblock webkit2gtk/2.16.3-2
> 
> Justification
> ------------------
> Three known publicized security vulnerabilities have been fixed in
> 2.16.3: CVE-2017-2496, CVE-2017-2539 and CVE-2017-2510. For more
> details about these and other recent security fixes, see [1].
> 
> webkit2gtk follows GNOME's Release Schedule (new major updates in
> March and September with bugfix updates in between). The 2.14 series
> is no longer supported and will not be updated to fix those or future
> security vulnerabilities.
> 
> Background Info
> ------------------------
> Sadly, Debian's security packaging infrastructure is not set up to
> test this kind of update very well. To provide a reasonable balance
> between security for Debian 9 users and API stability for apps, the
> current proposal [2] is to use Debian's s-p-u procedures and get these
> updates into Debian point releases. This is a huge improvement over
> Debian 8 where webkitgtk got only one early update and webkit2gtk was
> only updated through backports. [3] [4] [5]
> 
> To summarize a bit of the discussion on debian-devel, Ubuntu 16.04 LTS
> has been receiving new webkit2gtk versions within about a week of
> their release. Although regressions are possible, these have been
> averted so far because Ubuntu tests the new major beta releases in the
> development release of Ubuntu and because regressions are quickly
> pointed out by users of more bleeding-edge distros (and these
> regressions are quickly fixed!)

Could you list all the known regressions that resulted from these updates in
Ubuntu? I think that would be an interesting data point for this discussion, so
that we can assess not just the number of regressions, but the severity of them
and how/if they were fixed (e.g. if upstream cared about these in the cases that
were reported to them, etc). If you can provide bug#, severity, and a timeline
(e.g. webkit update to -proposed, webkit update to $distro, date of regression
reported, regression fixed) that'd be helpful.

Also it'd be nice to know what kind of automated testing is happening. I know
WebKit has an extensive test suite (including layout tests) that upstream
continuously runs for development series. I don't know if that's the same for
stable series though. Also can we enable the test suite in Debian?

Updating to supported webkit2gtk releases would be nice to keep it secure. OTOH
SRMs are (understandably) concerned about regressions. So let's see if we can
give them some more information so they can make an informed decision.

Thanks,
Emilio

More information about the Pkg-webkit-maintainers mailing list