Bug#989198: unblock: webkit2gtk/2.32.1-1
Hi Alberto, On 05-06-2021 01:52, Alberto Garcia wrote: > So if you are ok with the change of dependencies I will upload it to > unstable and request a new unblock. Ack. But next time, please create a new unblock (pre-approval) request. This bug is closed and your message had a high chance of being missed. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#989198: unblock: webkit2gtk/2.32.1-1
On Fri, May 28, 2021 at 11:18:00AM +0200, Alberto Garcia wrote: > unblock webkit2gtk/2.32.1-1 This upload introduced a regression (#989332) that should probably be fixed for bullseye. WebKitGTK has always used GStreamer internally but the Debian package only _recommends_ the GStreamer plugins because in theory you can use the web without them (but forget about audio and video). This has changed recently and now WebKit assumes that at least the -base and -good sets of plugins are available, and will abort with an assertion if e.g there is no audio plugin installed. In practice I think that the vast majority of users won't hit this problem because a) those plugins are recommended and apt installs them by default and b) they are amongst the most common packages on a desktop environment and required by many other programs. But it turns out that some people do browse the web with Epiphany and don't have those plugins installed, so we should probably try to avoid similar situations. I would like to move gstreamer1.0-plugins-good from Recommends to Depends. See the attached patch, in which I also get rid of the gstreamer1.0-pulseaudio recommendation (now part of plugins-good), explicity depend on plugins-base (which are implicitly installed anyway by plugins-good) and recommend plugins-bad (which is needed for many common video formats). An alternative would be to patch WebKit (downstream or upstream) to remove the assertion, or perhaps to use a dummy plugin ('fakesink') if no other is available. But this change is not necessarily trivial (WebKit uses many plugins in different places) and I'm not sure that upstream would be so happy to support that use case (considering that one can disable several media options at build time). So if you are ok with the change of dependencies I will upload it to unstable and request a new unblock. Regards, Berto diff --git a/debian/changelog b/debian/changelog index 8bc5c0a2183f..7556456f9097 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +webkit2gtk (2.32.1-2) unstable; urgency=high + + * debian/control: ++ Update the dependencies on GStreamer plugins (Closes: #989332): + - WebKitGTK really expects at least the -base and -good sets. + - For video playback (e.g YouTube) -bad is also recommended. + - The pulseaudio plugin was merged into the -good package. + + -- Alberto Garcia Fri, 04 Jun 2021 21:10:02 +0200 + webkit2gtk (2.32.1-1) unstable; urgency=medium * New upstream release. diff --git a/debian/control b/debian/control index 7c0b3218f92d..8b1c4197e740 100644 --- a/debian/control +++ b/debian/control @@ -138,11 +138,13 @@ Architecture: any Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: libjavascriptcoregtk-4.0-18 (= ${binary:Version}), + gstreamer1.0-plugins-base, + gstreamer1.0-plugins-good, ${bwrap:Depends}, ${shlibs:Depends}, ${misc:Depends} -Recommends: gstreamer1.0-plugins-good, -gstreamer1.0-pulseaudio | gstreamer1.0-alsa, +Recommends: gstreamer1.0-plugins-bad, +gstreamer1.0-alsa, gstreamer1.0-gl, libgl1-mesa-dri, ${bwrap:Recommends},
Bug#989198: unblock: webkit2gtk/2.32.1-1
Control: tags -1 - moreinfo On Fri, May 28, 2021 at 10:44:27PM +0200, Sebastian Ramacher wrote: > libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER# > * Build-Depends-Package: libwebkit2gtk-4.0-dev > (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90 > - (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90 > (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90 > (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, > API::Object*)@Base" 2.17.5 > (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5 > > Is that an internal symbol or why is it safe to remove it without a > SONAME bump? This is actually not part of the library API. The plugin process is (was) a separate binary used to load NPAPI plugins, but those are no longer supported by any major browser: https://salsa.debian.org/webkit-team/webkit/-/commit/73f555da9678842191a904b41ca17d7aee84a8e4 The last important user was Adobe Flash, which reached eol in December 2020. Berto
Bug#989198: unblock: webkit2gtk/2.32.1-1
Control: tags -1 moreinfo On 2021-05-28 11:18:00 +0200, Alberto Garcia wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package webkit2gtk > > Starting from buster webkit2gtk has been receiving security updates, > with a dozen DSAs published so far, at a pace of once every month or > two. These updates follow the upstream stable releases. > > webkit2gtk 2.32.1 was published on the 10th of May and it belongs to > the new 2.32.x stable branch (which started on the 26th of March with > the 2.32.0 release). > > This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and > CVE-2021-1788. You can see the details here: > >https://webkitgtk.org/security/WSA-2021-0003.html > > According to the CVE description, Apple is aware that the first of > those bugs may have been actively exploited. > > Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give > it more time than usual before proposing an unblock to detect possible > regressions. > > We found two: > > - https://bugs.debian.org/987448 > >The titles of articles of RSS feeds have wrong colors due to broken >CSS. This is due to upstream changes in WebKitGTK and required >changes in Liferea. Liferea is now fixed in testing and works fine >with WebKitGTK 2.32.x > >NOTE: theoretically other packages could have similar problems, but >we haven't detected any. > > - https://bugs.debian.org/987686 > >An autopkgtest regression. This is actually not a bug in WebKitGTK, >but the new dependency on xdg-desktop-portal-gtk triggers it. I >downgraded the dependency to a recommendation and the problem is >gone. I also uploaded a patch for balsa. > > I am not aware of any other regression. 2.32.0 was uploaded to > unstable on the 22nd of April and 2.32.1 on the 10th of May. > > I would like to have this version of webkit2gtk unblocked and after > that I'll prepare a new security update for buster. diff -Nru webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols --- webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols 2021-03-18 15:05:45.0 + +++ webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols 2021-05-10 10:20:44.0 + @@ -1,7 +1,6 @@ libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER# * Build-Depends-Package: libwebkit2gtk-4.0-dev (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90 - (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90 (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90 (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, API::Object*)@Base" 2.17.5 (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5 Is that an internal symbol or why is it safe to remove it without a SONAME bump? Cheers > > Thanks, > > Berto > > unblock webkit2gtk/2.32.1-1 > -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#989198: unblock: webkit2gtk/2.32.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package webkit2gtk Starting from buster webkit2gtk has been receiving security updates, with a dozen DSAs published so far, at a pace of once every month or two. These updates follow the upstream stable releases. webkit2gtk 2.32.1 was published on the 10th of May and it belongs to the new 2.32.x stable branch (which started on the 26th of March with the 2.32.0 release). This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and CVE-2021-1788. You can see the details here: https://webkitgtk.org/security/WSA-2021-0003.html According to the CVE description, Apple is aware that the first of those bugs may have been actively exploited. Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give it more time than usual before proposing an unblock to detect possible regressions. We found two: - https://bugs.debian.org/987448 The titles of articles of RSS feeds have wrong colors due to broken CSS. This is due to upstream changes in WebKitGTK and required changes in Liferea. Liferea is now fixed in testing and works fine with WebKitGTK 2.32.x NOTE: theoretically other packages could have similar problems, but we haven't detected any. - https://bugs.debian.org/987686 An autopkgtest regression. This is actually not a bug in WebKitGTK, but the new dependency on xdg-desktop-portal-gtk triggers it. I downgraded the dependency to a recommendation and the problem is gone. I also uploaded a patch for balsa. I am not aware of any other regression. 2.32.0 was uploaded to unstable on the 22nd of April and 2.32.1 on the 10th of May. I would like to have this version of webkit2gtk unblocked and after that I'll prepare a new security update for buster. Thanks, Berto unblock webkit2gtk/2.32.1-1