Bug#863915: unblock: webkit2gtk/2.16.3-2
Carlos Alberto Lopez Perez
clopez at igalia.com
Fri Jun 2 12:47:58 UTC 2017
On 02/06/17 10:27, Emilio Pozuelo Monfort wrote:
> Hi Jeremy,
>
> On 01/06/17 23:15, Jeremy Bicha wrote:
>> Please unblock package webkit2gtk for inclusion in Debian 9.0.
>>
>> unblock webkit2gtk/2.16.3-2
>>
>> Justification
>> ------------------
>> Three known publicized security vulnerabilities have been fixed in
>> 2.16.3: CVE-2017-2496, CVE-2017-2539 and CVE-2017-2510. For more
>> details about these and other recent security fixes, see [1].
>>
>> webkit2gtk follows GNOME's Release Schedule (new major updates in
>> March and September with bugfix updates in between). The 2.14 series
>> is no longer supported and will not be updated to fix those or future
>> security vulnerabilities.
>>
>> Background Info
>> ------------------------
>> Sadly, Debian's security packaging infrastructure is not set up to
>> test this kind of update very well. To provide a reasonable balance
>> between security for Debian 9 users and API stability for apps, the
>> current proposal [2] is to use Debian's s-p-u procedures and get these
>> updates into Debian point releases. This is a huge improvement over
>> Debian 8 where webkitgtk got only one early update and webkit2gtk was
>> only updated through backports. [3] [4] [5]
>>
>> To summarize a bit of the discussion on debian-devel, Ubuntu 16.04 LTS
>> has been receiving new webkit2gtk versions within about a week of
>> their release. Although regressions are possible, these have been
>> averted so far because Ubuntu tests the new major beta releases in the
>> development release of Ubuntu and because regressions are quickly
>> pointed out by users of more bleeding-edge distros (and these
>> regressions are quickly fixed!)
>
> Could you list all the known regressions that resulted from these updates in
> Ubuntu? I think that would be an interesting data point for this discussion, so
> that we can assess not just the number of regressions, but the severity of them
> and how/if they were fixed (e.g. if upstream cared about these in the cases that
> were reported to them, etc). If you can provide bug#, severity, and a timeline
> (e.g. webkit update to -proposed, webkit update to $distro, date of regression
> reported, regression fixed) that'd be helpful.
>
> Also it'd be nice to know what kind of automated testing is happening. I know
> WebKit has an extensive test suite (including layout tests) that upstream
> continuously runs for development series. I don't know if that's the same for
> stable series though. Also can we enable the test suite in Debian?
>
On trunk (master) we have a extensive test coverage per each commit.
We even have a bot testing that WebKitGTK+ always remains build-able
both on Debian stable and Ubuntu LTS. Check our bots here:
http://build.webkit.org/waterfall?category=GTK
All those bots are running Debian 9, except for the 32-bit and ARM bot
that are running Debian 8 but they will be eventually upgraded to Debian
9 also.
(Also except the Debian and Ubuntu bots that are of course running
Debian 8 and Ubuntu 16.04)
For the stable branch (that is what you are interested about I guess) we
have a bot running all those tests here:
https://build-webkit.igalia.com/waterfall?category=GTK
This bot running the tests on the stable branch is currently running
Debian 8 as base distro.
We are happy to upgrade it to Debian 9 if you wish (is something we will
eventually do in any case).
Note that those 9 failures are not really meaningful.
Current layout test suite of WebKit has 47556 tests
If there is some more testing we can do to accommodate your needs, we
will be happy to help.
Regards.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-webkit-maintainers/attachments/20170602/567d1e6b/attachment.sig>
More information about the Pkg-webkit-maintainers
mailing list