Discussion:
Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
(too old to reply)
Julien Cristau
2017-06-17 18:30:01 UTC
Permalink
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
Therefore, browsers built upon the webkit, qtwebkit and khtml engines
are included in stretch, but not covered by security support. These
browsers should not be used against untrusted websites.
But according to
https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
package "webkit2gtk" has no "guaranteed security support for webkit2gtk
for Debian 9", too.
Please update that list accordingly.
I'm not sure what you think needs updating, webkit is already on the
not-supported list?

Cheers,
Julien
Axel Beckert
2017-06-17 18:40:01 UTC
Permalink
Hi,
Post by Julien Cristau
Therefore, browsers built upon the webkit, qtwebkit and khtml engines
are included in stretch, but not covered by security support. These
browsers should not be used against untrusted websites.
But according to
https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
package "webkit2gtk" has no "guaranteed security support for webkit2gtk
for Debian 9", too.
Please update that list accordingly.
I'm not sure what you think needs updating, webkit is already on the
not-supported list?
webkit is a different source package:
https://packages.qa.debian.org/w/webkit.html

As is webkitgtk:
https://packages.qa.debian.org/w/webkitgtk.html

I'm talking about https://packages.qa.debian.org/w/webkit2gtk.html

And obviously, since "qtwebkit" and "webkit" are both mentioned
already, the mentioning of "webkit" does not imply any webkit fork as
otherwise "qtwebkit" wouldn't be in there.

Regards, Axel
--
,''`. | Axel Beckert <***@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Julien Cristau
2017-06-17 18:40:01 UTC
Permalink
Post by Axel Beckert
Hi,
Post by Julien Cristau
Therefore, browsers built upon the webkit, qtwebkit and khtml engines
are included in stretch, but not covered by security support. These
browsers should not be used against untrusted websites.
But according to
https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
package "webkit2gtk" has no "guaranteed security support for webkit2gtk
for Debian 9", too.
Please update that list accordingly.
I'm not sure what you think needs updating, webkit is already on the
not-supported list?
https://packages.qa.debian.org/w/webkit.html
https://packages.qa.debian.org/w/webkitgtk.html
I'm talking about https://packages.qa.debian.org/w/webkit2gtk.html
And obviously, since "qtwebkit" and "webkit" are both mentioned
already, the mentioning of "webkit" does not imply any webkit fork as
otherwise "qtwebkit" wouldn't be in there.
OK. I didn't think that list is intended as a list of source packages.
It does talk about browser engines instead, I believe on purpose, so it
doesn't have to be that specific about source package names (which
wouldn't be much help to most users anyway). Maybe we could make that
clearer. Or indeed update it to actual current source packages.

Cheers,
Julien
Axel Beckert
2017-06-17 18:50:01 UTC
Permalink
Hi Julien,
Post by Julien Cristau
Post by Axel Beckert
And obviously, since "qtwebkit" and "webkit" are both mentioned
already, the mentioning of "webkit" does not imply any webkit fork as
otherwise "qtwebkit" wouldn't be in there.
OK. I didn't think that list is intended as a list of source
packages.
Ah, ok, I read it that way as qtwebkit and khtml are current source
package names.
Post by Julien Cristau
It does talk about browser engines instead, I believe on purpose, so it
doesn't have to be that specific about source package names (which
wouldn't be much help to most users anyway). Maybe we could make that
clearer.
Yes, please.

Basically this was a question during my talk "What's new in Stretch?"
today after having copied this list from the release notes on one of
my slides.

The question came from a developer of a webkit-based web browser (Cc'ed).
Post by Julien Cristau
Or indeed update it to actual current source packages.
Then webkit should be removed from the list. I just noticed now that
it's no current source package name anymore. it has been removed from
unstable in 2013.

Regards, Axel
--
,''`. | Axel Beckert <***@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Florian Bruhin
2017-06-17 19:00:01 UTC
Permalink
Hi,
Post by Axel Beckert
Hi Julien,
Post by Julien Cristau
Post by Axel Beckert
And obviously, since "qtwebkit" and "webkit" are both mentioned
already, the mentioning of "webkit" does not imply any webkit fork as
otherwise "qtwebkit" wouldn't be in there.
OK. I didn't think that list is intended as a list of source packages.
Ah, ok, I read it that way as qtwebkit and khtml are current source
package names.
If it's not a list of source packages, then qtwebkit shouldn't be listed
either, no? After all, that's a WebKit fork as well.
Post by Axel Beckert
Post by Julien Cristau
It does talk about browser engines instead, I believe on purpose, so it
doesn't have to be that specific about source package names (which
wouldn't be much help to most users anyway). Maybe we could make that
clearer.
Yes, please.
Basically this was a question during my talk "What's new in Stretch?"
today after having copied this list from the release notes on one of
my slides.
The question came from a developer of a webkit-based web browser (Cc'ed).
That'd be me ;-)
Post by Axel Beckert
Post by Julien Cristau
Or indeed update it to actual current source packages.
Then webkit should be removed from the list. I just noticed now that
it's no current source package name anymore. it has been removed from
unstable in 2013.
As Axel mentioned earlier, I think QtWebEngine should be added as well
as I don't expect Qt to be upgraded during the Stretch release.
That's based on Chromium, which is somewhat related to WebKit, but still
probably distinct enough.

Florian
--
https://www.qutebrowser.org | ***@the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
Debian Bug Tracking System
2019-03-31 17:50:01 UTC
Permalink
Your message dated Sun, 31 Mar 2019 19:39:41 +0200
with message-id <5f0fc9da-b042-1726-36fe-***@debian.org>
and subject line Re: Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
has caused the Debian Bug report #864941,
regarding release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
864941: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864941
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...