Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock transition moreinfo Tags: security X-Debbugs-CC: webkit2...@packages.debian.org
I am filing this bug early so that the Release Team is aware early. [ Reason ] webkit2gtk only provides security support for one stable series at a time. A new series is released each March and September. The Debian Security Team backports these new release as security updates [1] [2] The upcoming 2.40.0 is more disruptive than usual as it makes a major API break for the new GTK4 library, bumping the API series from 5 to 6 [3]. This causes a small transition: gnome-builder 43 and gnome-initial-setup 43 are the only two packages that use the gtk4 library. They will both need sourceful uploads. Patches will be ready for both since the upstream webkitgtk team works closely with the GNOME project. [ Impact ] Because the 2.38 series will be End of Life before Debian 12 is released, I believe the Security Team wants 2.40 to make it to Testing [ Tests ] There are no automated tests (!) The person who uploads gnome-builder and gnome-initial-setup (likely me) will make sure those 2 apps still run well with the new webkit2gtk version. [ Risks ] The code changes in a new major webkit2gtk release are too large to manually review. webkit2gtk is a key package. Besides gnome-builder and gnome-initial-setup, webkit2gtk is used by many packages. [4] [ Checklist ] [ ] all changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing [ Other Info ] webkit2gtk generally follows the GNOME release schedule. [5] A beta (2.39.90) is expected in February. A release candidate (2.39.91) around March 6, and the first stable release (2.40.0) around March 20. We intend to do a test build in experimental first. I think it makes the most sense to wait for the 2.40.0 release and not push a prelease to Unstable/Testing. Ubuntu 23.04 will also switch to the 2.40 series by February or early March. Ubuntu 22.10 will need to do this transition as stable release updates. I don't have a ben file since the final soname isn't known yet. [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#limited-security-support [2] https://tracker.debian.org/pkg/webkit2gtk [3] https://discourse.gnome.org/t/webkitgtk-for-gtk-4-status-update-and-api-changes/11033 [4] https://release.debian.org/transitions/html/webkit2gtk-4.0.html [5] https://wiki.gnome.org/FortyFour Thank you, Jeremy Bicha