Hi again And tip: have you noticed that the default web engine for Konqueror is actually Qt5's webengine?
On Tue, 18 Apr 2023 at 04:30, Bernhard Reiter <bernh...@intevation.de> wrote: > > Hi, > > Am Dienstag 18 April 2023 04:55:35 schrieb Lisandro Damián Nicanor Pérez > Meyer: > > On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter <bernh...@intevation.de> > wrote: > > > > Konqueror is advertised as web browser, which means it will (offer to) > > > open URLs from different sources, e.g. when clicked from emails which > > > means external URLs and data. > > > > Same goes with KMail too :-) > > not really, KMail protects against just displaying external HTML > code from mails, you need to explicitely enable it, e.g. by clicking. Well, you are supposed to know what you are doing if you open a web browser :-) > > Whatever uses webengine/webkit/<web engine of the day> has the same > > issue. Well, for as long as they are a pile of embedded code, at least > > to start with. > > Only if they are exposed to unfiltered external data and having active code > elements enabled like <script>, I think some usage is for displaying packaged > documentation. Same as Konqueror. I only use it for displaying man pages, mind you. > [..] > > Same thing I said when I opposed packaging webengine, you see :-) But > > now it is packaged, and here we are :) > > Qt5/6 Webengine is security maintained by upstream. > It is like Firefox and Chromium, it is just a matter of packaging find a way > to deal with it, isn't it? Yes, still no security support from Debian. And konqueror uses Qt5's webengine by default, so... > > > What would be the right place in debian to bring this up? > > > > Debian devel, maybe? But I did ask the same thing years ago. The reply > > was "what is the difference with a PDF?" Whatever handles untrusted > > code has the same issue. > > The situation may have changed meanwhile and it is inconsistent within Debian. > The PDF engines are not listed in > > https://salsa.debian.org/debian/debian-security-support/-/blob/master/security-support-limited > and Firefox and Chromium are not either. > All are as security maintained as qtwebengine-opensource-src, but not > considered of limited security support. > So there are differences already within Debian. > > Thanks for your response again, > I'll if I can find the time to write to debian devel. Good luck :-) -- Lisandro Damián Nicanor Pérez Meyer https://perezmeyer.com.ar/