Post by Alberto GarciaDebian provides security support for the WebKitGTK browser engine
(source package: webkit2gtk). For bullseye we also want to support
wpewebkit, which is developed by the same team, follows a very similar
release schedule and numbering system, shares most of the code and
almost all CVEs fixes apply to both ports.
See #990754 for more details.
Buster users reading this ought to be able to work out that "uses
webkit2gtk" means "Depends: libwebkit2gtk-X.Y-Z", but wpewebkit is
more obscure: nobody preparing a dist-upgrade is going to learn
anything about it with APT searches on buster. Can we add some hint
that it's new in bullseye?
Post by Alberto GarciaI'm attaching a patch for the release notes.
diff --git a/en/issues.dbk b/en/issues.dbk
index 5f177f54..9fb6861d 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -483,12 +483,13 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
source packages and the concern applies to all packages shipping
them. The concern also extends to web rendering engines not explicitly
mentioned here, with the exception of <systemitem
- role="source">webkit2gtk</systemitem>.</para></footnote> are included in
- &releasename;, but not
- covered by security support. These browsers should not be used against
- untrusted websites.
- The <systemitem role="source">webkit2gtk</systemitem> source package is
- covered by security support.
+ role="source">webkit2gtk</systemitem> and <systemitem
+ role="source">wpewebkit</systemitem>.</para></footnote> are included in
+ &releasename;, but not covered by security support. These
+ browsers should not be used against untrusted websites.
+ The <systemitem role="source">webkit2gtk</systemitem> and
+ <systemitem role="source">wpewebkit</systemitem> source
+ packages are covered by security support.
</para>
<para>
For general web browser use we recommend Firefox or Chromium.
If we can refer to "webkit" and "khtml" (in the previous line) and
"Firefox" and "Chromium" (below) without special markup, it's not
clear why we need make such a big deal about "*webkit2gtk*" and
"*wpewebkit*" being source package names. I would suggest just:
mentioned here, with the exception of webkit2gtk and
the new wpewebkit.</para></footnote> are included in
&releasename;, but not covered by security support. These
browsers should not be used against untrusted websites.
The webkit2gtk and wpewebkit engines
<emphasis>are</emphasis> covered by security support.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package