Bug#989307: DSA-4923-1: upgrading libwebkit2gtk-4.0-37 on buster pulls in xdg-desktop-portal
Olaf Meeuwissen
paddy-hack at member.fsf.org
Sun Jun 13 02:52:18 BST 2021
Hi Alberto,
Alberto Garcia writes:
> On Mon, Jun 07, 2021 at 08:52:32PM +0900, Olaf Meeuwissen wrote:
>> >> Package changes:
>> >> + fuse 2.9.9-1+deb10u1 amd64
>> >> + libpipewire-0.2-1 0.2.5-1 amd64
>> >> + xdg-desktop-portal 1.2.0-1 amd64
>> >> + xdg-desktop-portal-gtk 1.2.0-1 amd64
>> >
>> > Yes, these are the actual new dependencies.
>>
>> Plus whatever these depend on that wasn't already installed.
>
> This is the complete list of extra dependencies pulled
> by xdg-desktop-portal-gtk on a clean buster system with
> libwebkit2gtk-4.0-37 but no other recommended packages installed.
>
> The following NEW packages will be installed:
> fuse libfuse2 libpipewire-0.2-1 xdg-desktop-portal xdg-desktop-portal-gtk
>
>> > Future security updates and buster backports will Suggest
>> > xdg-desktop-portal-gtk, although in bullseye it will still be a
>> > recommendation.
>>
>> Good. I don't mind packages acquiring Recommends in testing/unstable.
>> I do mind when that happens in stable-security.
>
> I understand, but note that although in this particular case it
> shouldn't have been a Recommends, we cannot guarantee that in general.
> The WebKit packages in Debian follow the upstream stable branches
> and like all other major browser engines they have frequent security
> updates.
Thanks for the additional info.
I understand that Debian's decision to follow upstreams for selected
packages (all of them browser related IIRC) because backporting security
fixes was not feasible may occasionally trigger installation of a new
library package. That's fine.
>> Bloat.
>> Increased attack surface.
>
> Using xdg-desktop-portal-gtk is actually a consequence of the webkit
> processes now running inside a sandbox for security reasons, so there
> is a trade-off between not using the sandbox at all or using the
> sandbox but recommending (not depending on) the portals. I chose the
> latter.
I see. Perhaps that could have been communicated in NEWS.Debian. Then
at least I might have seen it explained during the upgrade. Even if I
had opted not to include the Recommends:, I would have been able to make
up my mind about adding them or not. Just a thought.
>> Just let this be a warning for *all* stable-security packages to
>> pay some extra attention to changing dependencies. If it's only
>> changing versions of packages already depended upon, that _probably_
>> okay. New packages should raise a red flag.
>
> It was taken into account, and that one of the reasons why it was
> downgraded to a recommendation (it was initially a dependency).
Again, thanks for the extra info.
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join
More information about the Pkg-webkit-maintainers
mailing list