Web lists-archives.com

Re: Mitigating the problem of limited security support




On 2017-05-27 23:49, Moritz Mühlenhoff wrote:
> The "browser exception" applies to Chromium and Firefox, which are
> standalone packages (sans a few addons breaking), but unless webkit
> provides a long term branch with API stability guarantees, that's
> not a workable. "Rebase to a new 2.x branch every six months and let's
> hope that it doesn't break any rdeps" is not a workable solution.

webkit2gtk does guarantee API stability.

    "We support each major Debian version until one year after
     the release of the next major version."

   https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy

I'm actually writing this e-mail from a web-based e-mail client
using the latest stable release of webkit2gtk (2.16.13) that I just
built for Debian jessie (which ships 2.6.2).

What webkit2gtk cannot guarantee is zero regressions between
stable releases, and there have been a couple of annoying ones.

So yes, it can happen that updating webkit2gtk breaks an
rdep (#855103). Unfortunately it can also happen that NOT
updating webkit2gtk breaks an rdep (#862156).

The good news is that the first kind of problems are detected and
fixed immediately, so waiting a couple of weeks before uploading
the releases to debian-security could be an option (is that what
Ubuntu does?).

Berto