subject:"Bug#864941\: release\-notes\: webkit2gtk not mentioned in https\:\/\/www.debian.org\/releases\/stretch\/amd64\/release\-notes\/ch\-information.en.html#browser\-security"

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Florian Bruhin

Hi,

On Sat, Jun 17, 2017 at 08:42:16PM +0200, Axel Beckert wrote:
> Hi Julien,
> 
> Julien Cristau wrote:
> > > And obviously, since "qtwebkit" and "webkit" are both mentioned
> > > already, the mentioning of "webkit" does not imply any webkit fork as
> > > otherwise "qtwebkit" wouldn't be in there.
> >
> > OK.  I didn't think that list is intended as a list of source
> > packages.
> 
> Ah, ok, I read it that way as qtwebkit and khtml are current source
> package names.

If it's not a list of source packages, then qtwebkit shouldn't be listed
either, no? After all, that's a WebKit fork as well.

> > It does talk about browser engines instead, I believe on purpose, so it
> > doesn't have to be that specific about source package names (which
> > wouldn't be much help to most users anyway).  Maybe we could make that
> > clearer.
> 
> Yes, please.
> 
> Basically this was a question during my talk "What's new in Stretch?"
> today after having copied this list from the release notes on one of
> my slides.
> 
> The question came from a developer of a webkit-based web browser (Cc'ed).

That'd be me ;-)

> > Or indeed update it to actual current source packages.
> 
> Then webkit should be removed from the list. I just noticed now that
> it's no current source package name anymore. it has been removed from
> unstable in 2013.

As Axel mentioned earlier, I think QtWebEngine should be added as well
as I don't expect Qt to be upgraded during the Stretch release.
That's based on Chromium, which is somewhat related to WebKit, but still
probably distinct enough.

Florian

-- 
https://www.qutebrowser.org  | m...@the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072  | https://the-compiler.org/pubkey.asc
 I love long mails!  | https://email.is-not-s.ms/


signature.asc
Description: PGP signature

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Axel Beckert

Hi Julien,

Julien Cristau wrote:
> > And obviously, since "qtwebkit" and "webkit" are both mentioned
> > already, the mentioning of "webkit" does not imply any webkit fork as
> > otherwise "qtwebkit" wouldn't be in there.
>
> OK.  I didn't think that list is intended as a list of source
> packages.

Ah, ok, I read it that way as qtwebkit and khtml are current source
package names.

> It does talk about browser engines instead, I believe on purpose, so it
> doesn't have to be that specific about source package names (which
> wouldn't be much help to most users anyway).  Maybe we could make that
> clearer.

Yes, please.

Basically this was a question during my talk "What's new in Stretch?"
today after having copied this list from the release notes on one of
my slides.

The question came from a developer of a webkit-based web browser (Cc'ed).

> Or indeed update it to actual current source packages.

Then webkit should be removed from the list. I just noticed now that
it's no current source package name anymore. it has been removed from
unstable in 2013.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Julien Cristau

On Sat, Jun 17, 2017 at 20:29:46 +0200, Axel Beckert wrote:

> Hi,
> 
> Julien Cristau wrote:
> > > > Therefore, browsers built upon the webkit, qtwebkit and khtml engines
> > > > are included in stretch, but not covered by security support. These
> > > > browsers should not be used against untrusted websites.
> > > 
> > > But according to
> > > https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
> > > package "webkit2gtk" has no "guaranteed security support for webkit2gtk
> > > for Debian 9", too.
> > > 
> > > Please update that list accordingly.
> >
> > I'm not sure what you think needs updating, webkit is already on the
> > not-supported list?
> 
> webkit is a different source package:
> https://packages.qa.debian.org/w/webkit.html
> 
> As is webkitgtk:
> https://packages.qa.debian.org/w/webkitgtk.html
> 
> I'm talking about https://packages.qa.debian.org/w/webkit2gtk.html
> 
> And obviously, since "qtwebkit" and "webkit" are both mentioned
> already, the mentioning of "webkit" does not imply any webkit fork as
> otherwise "qtwebkit" wouldn't be in there.
> 
OK.  I didn't think that list is intended as a list of source packages.
It does talk about browser engines instead, I believe on purpose, so it
doesn't have to be that specific about source package names (which
wouldn't be much help to most users anyway).  Maybe we could make that
clearer.  Or indeed update it to actual current source packages.

Cheers,
Julien

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Axel Beckert

Hi,

Julien Cristau wrote:
> > > Therefore, browsers built upon the webkit, qtwebkit and khtml engines
> > > are included in stretch, but not covered by security support. These
> > > browsers should not be used against untrusted websites.
> > 
> > But according to
> > https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
> > package "webkit2gtk" has no "guaranteed security support for webkit2gtk
> > for Debian 9", too.
> > 
> > Please update that list accordingly.
>
> I'm not sure what you think needs updating, webkit is already on the
> not-supported list?

webkit is a different source package:
https://packages.qa.debian.org/w/webkit.html

As is webkitgtk:
https://packages.qa.debian.org/w/webkitgtk.html

I'm talking about https://packages.qa.debian.org/w/webkit2gtk.html

And obviously, since "qtwebkit" and "webkit" are both mentioned
already, the mentioning of "webkit" does not imply any webkit fork as
otherwise "qtwebkit" wouldn't be in there.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Julien Cristau

On Sat, Jun 17, 2017 at 20:13:56 +0200, Axel Beckert wrote:

> https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
> says:
> 
> > Therefore, browsers built upon the webkit, qtwebkit and khtml engines
> > are included in stretch, but not covered by security support. These
> > browsers should not be used against untrusted websites.
> 
> But according to
> https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
> package "webkit2gtk" has no "guaranteed security support for webkit2gtk
> for Debian 9", too.
> 
> Please update that list accordingly.
> 
I'm not sure what you think needs updating, webkit is already on the
not-supported list?

Cheers,
Julien

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

2017-06-17 Thread Axel Beckert

Package: release-notes
Severity: normal
Tags: security

Hi,

https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security
says:

> Therefore, browsers built upon the webkit, qtwebkit and khtml engines
> are included in stretch, but not covered by security support. These
> browsers should not be used against untrusted websites.

But according to
https://jeremy.bicha.net/2017/06/15/stretch-latest-webkitgtk/ the source
package "webkit2gtk" has no "guaranteed security support for webkit2gtk
for Debian 9", too.

Please update that list accordingly.

P.S.: While I have no source, my gut feeling says that
qtwebengine-opensource-src should also be in that list.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (980, 'unstable-debug'), (600, 'testing'), 
(111, 'buildd-unstable'), (111, 'buildd-experimental'), (110, 'experimental'), 
(105, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

Bug#864941: release-notes: webkit2gtk not mentioned in https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security

6 matches

Site Navigation

Mail list logo

Footer information