Re: Mitigating the problem of limited security support
- Date: Mon, 29 May 2017 01:19:47 +0200
- From: Alberto Garcia <berto@xxxxxxxxxx>
- Subject: Re: Mitigating the problem of limited security support
On 2017-05-27 23:49, Moritz Mühlenhoff wrote:
> The "browser exception" applies to Chromium and Firefox, which are
> standalone packages (sans a few addons breaking), but unless webkit
> provides a long term branch with API stability guarantees, that's
> not a workable. "Rebase to a new 2.x branch every six months and let's
> hope that it doesn't break any rdeps" is not a workable solution.
webkit2gtk does guarantee API stability.
"We support each major Debian version until one year after
the release of the next major version."
I'm actually writing this e-mail from a web-based e-mail client
using the latest stable release of webkit2gtk (2.16.13) that I just
built for Debian jessie (which ships 2.6.2).
What webkit2gtk cannot guarantee is zero regressions between
stable releases, and there have been a couple of annoying ones.
So yes, it can happen that updating webkit2gtk breaks an
rdep (#855103). Unfortunately it can also happen that NOT
updating webkit2gtk breaks an rdep (#862156).
The good news is that the first kind of problems are detected and
fixed immediately, so waiting a couple of weeks before uploading
the releases to debian-security could be an option (is that what