Demi Marie Obenour wrote:
> I can’t help with maintenance, but I honestly wonder if some of
> these programs could be modified to shell out to a browser subprocess.
That is not a reasonable solution. Those applications need embedded HTML in
the UI, not a separate browser window. And it does not help at all if the
browser that is shelled out to itself uses QtWebEngine.
> Even if Fedora shipped QtWebEngine releases the day they were tagged
> in git, this would still not be enough for security. Not when upstream
> itself is lagging so badly.
But it would be better than now where we are sitting on dozens of security
fixes, some of them critical, for 3+ MONTHS!
> I also wonder if some features of QtWebEngine, such as the V8 JIT
> compiler or even scripting as a whole, ought to be proactively
> disabled.
-1 to that from me as the maintainer of Falkon. It would completely break
Falkon. Hardly any website these days works without JavaScript
(unfortunately).
> There is absolutely no reason for KMail to be running untrusted scripts,
> and disabling them mitigates many if not most vulnerabilities.
KMail can (and, I believe, already does) disable JavaScript in its HTML
views.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
