Your message dated Mon, 8 Aug 2022 15:51:11 +0000
with message-id <[email protected]>
and subject line Re: Bug#1016845: warn users about insecure webkit* packages
has caused the Debian Bug report #1016845,
regarding warn users about insecure webkit* packages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016845
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: debian-security-support
severity: wishlist
x-debbugs-cc: [email protected], [email protected], [email protected]
Hi,
in #1004293 the status of src:khtml and src:webkitgtk was discussed and
as the discussion about the latter is more complicated, I've closed
#1004293 with documenting the state of sec:khtml and am filing this
new bug to discuss webkit* based browsers in a new and fresh bug report.
On Thu, Feb 10, 2022 at 11:37:18AM +0100, Moritz Mühlenhoff wrote:
> Any reverse dependency of webkit2gtk is supported (i.e. applications like
> Epiphany, Evolution etc).
>
> Other browsers which use engines which are similarly named since they
> share a common code history are not supported:
> - qtwebkit (only present up to Buster)
> - qtwebkit-opensource-src
> - qtwebengine-opensource-src
> - webkitgtk (only present up to Stretch)
>
> This e.g. means that the default browser in KDE (Konqueror) is entirely
> unsupported with security updates.
>
> Note this isn't the case for any distro out there, we're just the only one
> transparent about in in their release notes!
>
> E.g. qtwebengine rebases to Chromium releases from time to time, but
> definitely not a pace which is needed and none of this reaches distros
> properly.
>
> I understand this is probably a little confusing, so maybe we should
> instead list specific browsers as examples for webengine related components
> which are supported and which are not.
so, for bookworm, we should add
- qtwebkit-opensource-src
- qtwebengine-opensource-src
to security-support-limited ("only for trusted content") and that's it?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
This too shall pass.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Mon, Aug 08, 2022 at 05:12:52PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Aug 08, 2022 at 11:07:16AM +0000, Holger Levsen wrote:
> > so, for bookworm, we should add
> > - qtwebkit-opensource-src
> > - qtwebengine-opensource-src
> > to security-support-limited ("only for trusted content") and that's it?
> I think so, yes.
cool, thanks! as both are already listed, I'm just closing this bug report now.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
三人成虎- Three men make a tiger.
In other words, if one guy says "there's a tiger over there" you might not
believe
them, if three guys in a row all say this- you think there's a tiger there. A
lie,
repeated often enough, will be accepted as truth.
signature.asc
Description: PGP signature
--- End Message ---
