* Kevin Krammer <kevin.kram...@gmx.at> [2015-06-25 20:07:58 +0200]:
> On Thursday, 2015-06-25, 18:45:52, Florian Bruhin wrote:
> > * Kevin Krammer <kevin.kram...@gmx.at> [2015-06-25 18:35:41 +0200]:
> > > On Thursday, 2015-06-25, 15:56:22, Florian Bruhin wrote:
> > > > I still have some hope - I think Qt will still apply at least security
> > > > fixes for QtWebKit until Qt 6, which still should be a while away.
> > > 
> > > I would also be surprised if they would knowingly ship insecure code.
> > 
> > I wouldn't call it *knowingly* - but chances are slim that someone
> > will take care of security issues until there's a bug report - and
> > even then, I guess it depends on the ressources Qt is willing to
> > allocate to QtWebKit (which seems to be dropping at a fast rate the
> > past few months).
> Hmm, I would think that there are people monitoring webkti related security 
> lists

I almost never see upstream WebKit fixes being applied to QtWebKit
without someone opening a bug report for it.

I recently talked with Hanno Böck[1] about my project ([2] for the
curious) and he's told me the same.

If I notice something I'll backport it (like I did with [3] for
example), but my time to work on QtWebKit is extremely limited, as my
own project keeps me busy.

[1] https://hboeck.de/en/
[2] http://www.qutebrowser.org/
[3] https://codereview.qt-project.org/#/c/108936/

> the new engine is webkit based as well.

Not really. It's based on Chromium, which is based on Blink, which in
turn once was WebKit - but I wouldn't call that WebKit-based.

But the important part is that the QtWebEngine-Chromium is very close
to the upstream Chromium, unlike with QtWebKit which was a diverging
WebKit fork. I think Google has enough resources to keep Chromium
secure, and Qt has enough resources to keep QtWebEngine up to date
with that - but they don't have the resources to maintain their own
fork of WebKit.

(Lack of manpower was one of the reasons to start QtWebEngine and
abandon QtWebKit as far as I know)

> The open nature of Qt makes resource allocation basically driven by demand.
> E.g. all the code contributed by KDE developers was created because KDE 
> applications needed it.

Well, it means something will be taken care of if someone choses to do
so. There's certainly a big demand to keep QtWebKit alive, but so far
I've not seen anybody step up to maintain it.


http://www.the-compiler.org | m...@the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc
         I love long mails! | http://email.is-not-s.ms/

Attachment: pgpZ9aGvEBHWm.pgp
Description: PGP signature


Reply via email to