Moritz Muehlenhoff wrote:
> On Tue, Jan 25, 2022 at 12:20:46AM +1100, Trent W. Buck wrote:
> > Package: debian-security-support
> > Version: 1:11+2021.03.19
> > Severity: normal
> > File: /usr/share/debian-security-support/security-support-limited
> >
> > As at Debian 11,
> >
> > * webkitgtk is in src:webkit2gtk, not src:webkit.
> > * khtml is in src:khtml, not src:kde4libs.
> >
> > GNOME3 and KDE5 have been around for a while now.
> > I think security-support-limited should be updated to reflect this.
>
> webkit2gtk is fully supported since Buster and there have been plenty of
> security updates since
> then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk
Am I misreading the Release Notes?
https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support
browsers built upon e.g. the webkit and khtml engines^[6] are
included in bullseye, but not covered by security support.
Are you saying that webkit2gtk is supported, but anything that USES webkit2gtk
is unsupported?
Even if that is the case, webkit2gtk itself ships a web browser based on
webkit2gtk:
libwebkit2gtk-4.0-37:amd64:
/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/MiniBrowser
That browser even accesses a remote (therefore not trusted by debian) URL by
default.
(Unlike e.g. yelp, which uses webkit2gtk mainly to render content provided by
Debian.)
It also enables javascript (remote code execution) by default.
Since webkit2gtk includes a webkit2gtk-based browser, and
"browser built upon webkit" are "not covered by security support",
I still think webkit2gtk belongs in the "security support is limited" list.
I agree that debian-security has provided security updates for webkit2gtk in
the past.
I think "limited" doesn't mean "we promise never to issue security updates";
I think "limited" means "we don't promise to issue security updates".
Sorry if I'm missing something obvious!
Oh! I've been assuming when the Release Notes said only firefox-esr/chromium
are supported, and
explicitly gave "webkit" as an example, that "webkit" meant webkit2gtk.
But maybe it only meant webkit (MacOS-only, not ever in Debian) or
"webkitgtk" (not in Debian for about 8 years)?
But then why even mention it in the *bullseye* release notes?
