Bug#989307: DSA-4923-1: upgrading libwebkit2gtk-4.0-37 on buster pulls in xdg-desktop-portal
Alberto Garcia
berto at igalia.com
Mon Jun 7 14:18:33 BST 2021
On Mon, Jun 07, 2021 at 08:52:32PM +0900, Olaf Meeuwissen wrote:
> >> Package changes:
> >> + fuse 2.9.9-1+deb10u1 amd64
> >> + libpipewire-0.2-1 0.2.5-1 amd64
> >> + xdg-desktop-portal 1.2.0-1 amd64
> >> + xdg-desktop-portal-gtk 1.2.0-1 amd64
> >
> > Yes, these are the actual new dependencies.
>
> Plus whatever these depend on that wasn't already installed.
This is the complete list of extra dependencies pulled
by xdg-desktop-portal-gtk on a clean buster system with
libwebkit2gtk-4.0-37 but no other recommended packages installed.
The following NEW packages will be installed:
fuse libfuse2 libpipewire-0.2-1 xdg-desktop-portal xdg-desktop-portal-gtk
> > Future security updates and buster backports will Suggest
> > xdg-desktop-portal-gtk, although in bullseye it will still be a
> > recommendation.
>
> Good. I don't mind packages acquiring Recommends in testing/unstable.
> I do mind when that happens in stable-security.
I understand, but note that although in this particular case it
shouldn't have been a Recommends, we cannot guarantee that in general.
The WebKit packages in Debian follow the upstream stable branches
and like all other major browser engines they have frequent security
updates.
> Bloat.
> Increased attack surface.
Using xdg-desktop-portal-gtk is actually a consequence of the webkit
processes now running inside a sandbox for security reasons, so there
is a trade-off between not using the sandbox at all or using the
sandbox but recommending (not depending on) the portals. I chose the
latter.
> Just let this be a warning for *all* stable-security packages to
> pay some extra attention to changing dependencies. If it's only
> changing versions of packages already depended upon, that _probably_
> okay. New packages should raise a red flag.
It was taken into account, and that one of the reasons why it was
downgraded to a recommendation (it was initially a dependency).
Regards,
Berto
More information about the Pkg-webkit-maintainers
mailing list