Bug#989307: DSA-4923-1: upgrading libwebkit2gtk-4.0-37 on buster pulls in xdg-desktop-portal

Holger Levsen holger at debian.org
Mon May 31 19:32:53 BST 2021

Package: libwebkit2gtk-4.0-37
Version: 2.32.1-1~deb10u1
Severity: normal

Dear Maintainer,

from #debian-security today, Salvatore asked me to file this as a bug.

< h01ger> DSA 4923 causes xdg-desktop-portal(-gtk) to be installed here, much to my surprise and unhappyness
< h01ger> its a recommends, so i can apt remove it, but still...
< h01ger> https://paste.debian.net/1199471/
(which has this content)

Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
The following NEW packages will be installed:
   libpipewire-0.2-1 (0.2.5-1)
   xdg-desktop-portal (1.2.0-1)
   xdg-desktop-portal-gtk (1.2.0-1)
The following packages will be upgraded:
   libjavascriptcoregtk-4.0-18 (2.30.6-1~deb10u1 => 2.32.1-1~deb10u1)
   libwebkit2gtk-4.0-37 (2.30.6-1~deb10u1 => 2.32.1-1~deb10u1)
2 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 20.1 MB of archives.
After this operation, 5,376 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

< carnil> h01ger: thanks forwarded to alberto
        * h01ger still busy cleaning systems
< h01ger> carnil: thanks!
< carnil> h01ger: the problem which is to be solved with it is apparently https://bugzilla.redhat.com/show_bug.cgi?id=1845743 (according to berto)
< h01ger> carnil: seems like. i've no flatpak and no snap and i dont expect to gain a dbus service granting privileges on a buster security update. (i've also seen it on bullseye upgrades but given that bullseye is not stable yet i wont complain here :)
< h01ger> carnil: do you think it would be useful if i'd file a bug about this issue?
< carnil> h01ger: at least the maintainer could comment himself on it, and explain on why the recommends, and maybe discussion can lead to that change is not suitable for the DSA, and we can drop it in the next upload.
< h01ger> carnil: was that a yes?
< carnil> h01ger: yes
< h01ger> carnil: ok. i'll include some lines from you here...
< carnil> h01ger: yes. I have no proplem if you mention I suggested to fill a but to ask to clarify the issue. But note I was only inbetween here.

Personally I think a DSA fixing this would be nice.


 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C

"Climate change" is an euphenism. "Global warming" as well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-webkit-maintainers/attachments/20210531/1a4e2a9c/attachment.sig>

More information about the Pkg-webkit-maintainers mailing list