Web lists-archives.com

Re: Mitigating the problem of limited security support




On Sun, May 21, 2017 at 9:43 AM, Adrian Bunk <bunk@xxxxxxxxxx> wrote:
>   2. WebKitGTK+

The primary package of concern here in Debian Stretch is webkit2gtk .
For a year now, Ubuntu has been updating webkit2gtk [1] as security
updates [2] just fine. Ubuntu 16.04 LTS started with 2.10 and has
upgraded it to the major new version 2.12, 2.14, and now 2.16. So far
this has been done with sufficient testing that we have not introduced
any significant regressions in webkit2gtk to 16.04 yet. In fact,
Debian is the largest major distro that does not upgrade webkit2gtk
like this.

It is not too late to change this policy for Debian Stretch, but my
understanding is that the Debian Security team has absolutely refused
to extend the "browser exception" (to allow major new versions) to
webkit2gtk, despite the pleading of the Debian and upstream webkit2gtk
maintainers. The webkit2gtk developers have made several improvements
to try to make these updates more suitable for distros like Debian
Stable to ship. [3] [4]

Therefore, I urge the Debian Security team to revisit their decision
and allow new major versions of webkit2gtk to be treated as security
updates for Debian Stretch.

[1] https://launchpad.net/ubuntu/+source/webkit2gtk
[2] https://www.ubuntu.com/usn/usn-3257-1/
[3] https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy
[4] https://webkitgtk.org/security.html

Thank you,
Jeremy Bicha