Bug#989198: unblock: webkit2gtk/2.32.1-1

2021-06-05 Thread Paul Gevers 
Hi Alberto,

On 05-06-2021 01:52, Alberto Garcia wrote:
> So if you are ok with the change of dependencies I will upload it to
> unstable and request a new unblock.

Ack. But next time, please create a new unblock (pre-approval) request.
This bug is closed and your message had a high chance of being missed.

Paul



OpenPGP_signature
Description: OpenPGP digital signature

Bug#989198: unblock: webkit2gtk/2.32.1-1

2021-06-04 Thread Alberto Garcia 
On Fri, May 28, 2021 at 11:18:00AM +0200, Alberto Garcia wrote:

> unblock webkit2gtk/2.32.1-1

This upload introduced a regression (#989332) that should probably be
fixed for bullseye.

WebKitGTK has always used GStreamer internally but the Debian package
only _recommends_ the GStreamer plugins because in theory you can use
the web without them (but forget about audio and video). This has
changed recently and now WebKit assumes that at least the -base and
-good sets of plugins are available, and will abort with an assertion
if e.g there is no audio plugin installed.

In practice I think that the vast majority of users won't hit this
problem because a) those plugins are recommended and apt installs
them by default and b) they are amongst the most common packages on a
desktop environment and required by many other programs.

But it turns out that some people do browse the web with Epiphany and
don't have those plugins installed, so we should probably try to avoid
similar situations.

I would like to move gstreamer1.0-plugins-good from Recommends to
Depends. See the attached patch, in which I also get rid of the
gstreamer1.0-pulseaudio recommendation (now part of plugins-good),
explicity depend on plugins-base (which are implicitly installed
anyway by plugins-good) and recommend plugins-bad (which is needed for
many common video formats).

An alternative would be to patch WebKit (downstream or upstream) to
remove the assertion, or perhaps to use a dummy plugin ('fakesink')
if no other is available. But this change is not necessarily trivial
(WebKit uses many plugins in different places) and I'm not sure that
upstream would be so happy to support that use case (considering that
one can disable several media options at build time).

So if you are ok with the change of dependencies I will upload it to
unstable and request a new unblock.

Regards,

Berto
diff --git a/debian/changelog b/debian/changelog
index 8bc5c0a2183f..7556456f9097 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+webkit2gtk (2.32.1-2) unstable; urgency=high
+
+  * debian/control:
++ Update the dependencies on GStreamer plugins (Closes: #989332):
+  - WebKitGTK really expects at least the -base and -good sets.
+  - For video playback (e.g YouTube) -bad is also recommended.
+  - The pulseaudio plugin was merged into the -good package.
+
+ -- Alberto Garcia   Fri, 04 Jun 2021 21:10:02 +0200
+
 webkit2gtk (2.32.1-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index 7c0b3218f92d..8b1c4197e740 100644
--- a/debian/control
+++ b/debian/control
@@ -138,11 +138,13 @@ Architecture: any
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: libjavascriptcoregtk-4.0-18 (= ${binary:Version}),
+ gstreamer1.0-plugins-base,
+ gstreamer1.0-plugins-good,
  ${bwrap:Depends},
  ${shlibs:Depends},
  ${misc:Depends}
-Recommends: gstreamer1.0-plugins-good,
-gstreamer1.0-pulseaudio | gstreamer1.0-alsa,
+Recommends: gstreamer1.0-plugins-bad,
+gstreamer1.0-alsa,
 gstreamer1.0-gl,
 libgl1-mesa-dri,
 ${bwrap:Recommends},

Bug#989198: unblock: webkit2gtk/2.32.1-1

2021-05-28 Thread Alberto Garcia 
Control: tags -1 - moreinfo

On Fri, May 28, 2021 at 10:44:27PM +0200, Sebastian Ramacher wrote:
>  libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER#
>  * Build-Depends-Package: libwebkit2gtk-4.0-dev
>   (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90
> - (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90
>   (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90
>   (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, 
> API::Object*)@Base" 2.17.5
>   (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5
> 
> Is that an internal symbol or why is it safe to remove it without a
> SONAME bump?

This is actually not part of the library API.

The plugin process is (was) a separate binary used to load NPAPI
plugins, but those are no longer supported by any major browser:

https://salsa.debian.org/webkit-team/webkit/-/commit/73f555da9678842191a904b41ca17d7aee84a8e4

The last important user was Adobe Flash, which reached eol in December
2020.

Berto

Bug#989198: unblock: webkit2gtk/2.32.1-1

2021-05-28 Thread Sebastian Ramacher 
Control: tags -1 moreinfo

On 2021-05-28 11:18:00 +0200, Alberto Garcia wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package webkit2gtk
> 
> Starting from buster webkit2gtk has been receiving security updates,
> with a dozen DSAs published so far, at a pace of once every month or
> two. These updates follow the upstream stable releases.
> 
> webkit2gtk 2.32.1 was published on the 10th of May and it belongs to
> the new 2.32.x stable branch (which started on the 26th of March with
> the 2.32.0 release).
> 
> This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and
> CVE-2021-1788. You can see the details here:
> 
>https://webkitgtk.org/security/WSA-2021-0003.html
> 
> According to the CVE description, Apple is aware that the first of
> those bugs may have been actively exploited.
> 
> Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give
> it more time than usual before proposing an unblock to detect possible
> regressions.
> 
> We found two:
> 
>  - https://bugs.debian.org/987448
> 
>The titles of articles of RSS feeds have wrong colors due to broken
>CSS. This is due to upstream changes in WebKitGTK and required
>changes in Liferea. Liferea is now fixed in testing and works fine
>with WebKitGTK 2.32.x
> 
>NOTE: theoretically other packages could have similar problems, but
>we haven't detected any.
> 
>  - https://bugs.debian.org/987686
> 
>An autopkgtest regression. This is actually not a bug in WebKitGTK,
>but the new dependency on xdg-desktop-portal-gtk triggers it. I
>downgraded the dependency to a recommendation and the problem is
>gone. I also uploaded a patch for balsa.
> 
> I am not aware of any other regression. 2.32.0 was uploaded to
> unstable on the 22nd of April and 2.32.1 on the 10th of May.
> 
> I would like to have this version of webkit2gtk unblocked and after
> that I'll prepare a new security update for buster.


diff -Nru webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols 
webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols
--- webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols   2021-03-18 
15:05:45.0 +
+++ webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols   2021-05-10 
10:20:44.0 +
@@ -1,7 +1,6 @@
 libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER#
 * Build-Depends-Package: libwebkit2gtk-4.0-dev
  (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90
- (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90
  (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90
  (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, 
API::Object*)@Base" 2.17.5
  (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5

Is that an internal symbol or why is it safe to remove it without a
SONAME bump?

Cheers

> 
> Thanks,
> 
> Berto
> 
> unblock webkit2gtk/2.32.1-1
> 

-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#989198: unblock: webkit2gtk/2.32.1-1

2021-05-28 Thread Alberto Garcia 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package webkit2gtk

Starting from buster webkit2gtk has been receiving security updates,
with a dozen DSAs published so far, at a pace of once every month or
two. These updates follow the upstream stable releases.

webkit2gtk 2.32.1 was published on the 10th of May and it belongs to
the new 2.32.x stable branch (which started on the 26th of March with
the 2.32.0 release).

This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and
CVE-2021-1788. You can see the details here:

   https://webkitgtk.org/security/WSA-2021-0003.html

According to the CVE description, Apple is aware that the first of
those bugs may have been actively exploited.

Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give
it more time than usual before proposing an unblock to detect possible
regressions.

We found two:

 - https://bugs.debian.org/987448

   The titles of articles of RSS feeds have wrong colors due to broken
   CSS. This is due to upstream changes in WebKitGTK and required
   changes in Liferea. Liferea is now fixed in testing and works fine
   with WebKitGTK 2.32.x

   NOTE: theoretically other packages could have similar problems, but
   we haven't detected any.

 - https://bugs.debian.org/987686

   An autopkgtest regression. This is actually not a bug in WebKitGTK,
   but the new dependency on xdg-desktop-portal-gtk triggers it. I
   downgraded the dependency to a recommendation and the problem is
   gone. I also uploaded a patch for balsa.

I am not aware of any other regression. 2.32.0 was uploaded to
unstable on the 22nd of April and 2.32.1 on the 10th of May.

I would like to have this version of webkit2gtk unblocked and after
that I'll prepare a new security update for buster.

Thanks,

Berto

unblock webkit2gtk/2.32.1-1