Re: Mitigating the problem of limited security support
- Date: Sat, 27 May 2017 18:59:11 -0400
- From: Jeremy Bicha <jbicha@xxxxxxxxxx>
- Subject: Re: Mitigating the problem of limited security support
On Sat, May 27, 2017 at 5:49 PM, Moritz Mühlenhoff <jmm@xxxxxxxxxx> wrote:
> The "browser exception" applies to Chromium and Firefox, which are
> standalone packages (sans a few addons breaking), but unless webkit
> provides a long term branch with API stability guarantees, that's
> not a workable. "Rebase to a new 2.x branch every six months and let's
> hope that it doesn't break any rdeps" is not a workable solution.
webkit2gtk's API has been stable enough for Ubuntu 16.04 LTS.
Right now, webkit2gtk 2.16.3 is in experimental with fixes for 3
published CVEs that affect Stretch. What is needed for that version to
be allowed in to Stretch now? It is just testing that the rdeps still
By the way, there are more than twice as many Firefox addons in Debian
as there are packages using webkit2gtk. I believe Mozilla has
basically committed to breaking several of those addons next year,
whereas the webkit2gtk developers try to avoid regressions.