On Mon, Jan 10, 2011 at 11:12:39PM +0100, Josselin Mouette wrote: > Heya, > > Le lundi 10 janvier 2011 à 20:56 +0100, Moritz Muehlenhoff a écrit : > > As such, browsers built upon the webkit, qtwebkit > > and khtml engines are included in Squeeze, but not covered by full security > > support. We will make an effort to track down and backport security fixes, > > but in general these browsers should not be used against untrusted websites. > > I was under the impression that upstream promised long-term maintenance > for the webkit 1.2 branch. It is one of the reasons for which epiphany > was kept as the default browser for GNOME. Is that no longer true?
I couldn't find that branch on http://trac.webkit.org/browser , but some digging revealed that there's in fact a stable branch maintained elsewhere: http://gitorious.org/webkitgtk/stable/commits/master So I have to retract my statement on the lack of upstream support for gtkwebkit. That's certainly a good thing. But in still leaves us with the problem that webkit in Debian isn't maintained properly. The last upload fixing security issues was 2.5 months ago and we already have 51 unchecked issues potentially affecting webkit (since they were reported/fixed for Chromium and many of these affect webkit) and seven for which is has been verified that Squeeze's webkit is affected: $ grep webkit CVE/list | grep unfixed | grep -v unimportant | wc -l 7 $ grep webkit CVE/list | grep undetermined | wc -l 51 So people need to step forward and commit to maintenance, otherwise we'll end up with the same situation as in Lenny. Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
