Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2

Jeremy Bicha jeremy.bicha at canonical.com
Thu Jan 19 17:02:38 GMT 2023


Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock transition moreinfo
Tags: security
X-Debbugs-CC: webkit2gtk at packages.debian.org

I am filing this bug early so that the Release Team is aware early.

[ Reason ]
webkit2gtk only provides security support for one stable series at a
time. A new series is released each March and September. The Debian
Security Team backports these new release as security updates [1] [2]

The upcoming 2.40.0 is more disruptive than usual as it makes a major
API break for the new GTK4 library, bumping the API series from 5 to 6
[3]. This causes a small transition: gnome-builder 43 and
gnome-initial-setup 43 are the only two packages that use the gtk4
library. They will both need sourceful uploads. Patches will be ready
for both since the upstream webkitgtk team works closely with the
GNOME project.

[ Impact ]
Because the 2.38 series will be End of Life before Debian 12 is
released, I believe the Security Team wants 2.40 to make it to Testing

[ Tests ]
There are no automated tests (!)
The person who uploads gnome-builder and gnome-initial-setup (likely
me) will make sure those 2 apps still run well with the new webkit2gtk
version.

[ Risks ]
The code changes in a new major webkit2gtk release are too large to
manually review.
webkit2gtk is a key package.
Besides gnome-builder and gnome-initial-setup, webkit2gtk is used by
many packages. [4]

[ Checklist ]
  [ ] all changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

[ Other Info ]
webkit2gtk generally follows the GNOME release schedule. [5] A beta
(2.39.90) is expected in February. A release candidate (2.39.91)
around March 6, and the first stable release (2.40.0) around March 20.
We intend to do a test build in experimental first. I think it makes
the most sense to wait for the 2.40.0 release and not push a prelease
to Unstable/Testing.

Ubuntu 23.04 will also switch to the 2.40 series by February or early
March. Ubuntu 22.10 will need to do this transition as stable release
updates.

I don't have a ben file since the final soname isn't known yet.

[1]
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#limited-security-support

[2] https://tracker.debian.org/pkg/webkit2gtk

[3] https://discourse.gnome.org/t/webkitgtk-for-gtk-4-status-update-and-api-changes/11033

[4] https://release.debian.org/transitions/html/webkit2gtk-4.0.html

[5] https://wiki.gnome.org/FortyFour

Thank you,
Jeremy Bicha



More information about the Pkg-webkit-maintainers mailing list