[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[David Barth]

** Description changed:

- signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends
- on libqt5webkit5
+ [Impact]
  
- https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-
- updates/
+  * When declaring online accounts for use by Ubuntu, the system uses a
+ webview to authenticate to online services like Facebook or Google.
  
+  * On X11 desktops, that webview currently uses an old qt5webkit
+ component that is now unmaintained
  
- Can it be resolved so new LTS wont be released with known webkit1 
bugs/security exploits?
+  * Backporting this fix will simplify the maintenance work, by removing
+ the need for that old component, and will improve the coherence of the
+ system by using a supported Oxide webview
+ 
+ [Test Case]
+ 
+ To verify the change:
+ 
+  * Go to system settings > Online Accounts
+  * Add account of type Google, Facebook or Twitter (which uses webview for 
authentication)
+  * Verify that a webview opens to log onto the online service
+  * Verify that the account is listed in the account list at the end of this 
process
+  * Verify that the related apps and services can use the online account as 
before (ie Shotwell photo uploads, Photos scope, etc.)
+ 
+ [Regression Potential]
+ 
+  * On architectures not supported by Oxide, namely ppc64el and s390x,
+ the change will trigger a runtime error when trying to use that part of
+ signon-ui.
+ 
+  * The problem affects users of Ubuntu desktop systems based on X11. The
+ change is already in effect on Unity8/Mir devices for a few months.
+ 
+ [Other Info]
+ 
+  * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11)
+ depends on libqt5webkit5
+ 
+  * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-
+ security-updates/

** Description changed:

+ This is an SRU request, based on the process documented at
+ https://wiki.ubuntu.com/StableReleaseUpdates
+ 
+ 
  [Impact]
  
-  * When declaring online accounts for use by Ubuntu, the system uses a
+  * When declaring online accounts for use by Ubuntu, the system uses a
  webview to authenticate to online services like Facebook or Google.
  
-  * On X11 desktops, that webview currently uses an old qt5webkit
+  * On X11 desktops, that webview currently uses an old qt5webkit
  component that is now unmaintained
  
-  * Backporting this fix will simplify the maintenance work, by removing
+  * Backporting this fix will simplify the maintenance work, by removing
  the need for that old component, and will improve the coherence of the
  system by using a supported Oxide webview
  
  [Test Case]
  
  To verify the change:
  
-  * Go to system settings > Online Accounts
-  * Add account of type Google, Facebook or Twitter (which uses webview for 
authentication)
-  * Verify that a webview opens to log onto the online service
-  * Verify that the account is listed in the account list at the end of this 
process
-  * Verify that the related apps and services can use the online account as 
before (ie Shotwell photo uploads, Photos scope, etc.)
+  * Go to system settings > Online Accounts
+  * Add account of type Google, Facebook or Twitter (which uses webview for 
authentication)
+  * Verify that a webview opens to log onto the online service
+  * Verify that the account is listed in the account list at the end of this 
process
+  * Verify that the related apps and services can use the online account as 
before (ie Shotwell photo uploads, Photos scope, etc.)
  
  [Regression Potential]
  
-  * On architectures not supported by Oxide, namely ppc64el and s390x,
+  * On architectures not supported by Oxide, namely ppc64el and s390x,
  the change will trigger a runtime error when trying to use that part of
  signon-ui.
  
-  * The problem affects users of Ubuntu desktop systems based on X11. The
+  * The problem affects users of Ubuntu desktop systems based on X11. The
  change is already in effect on Unity8/Mir devices for a few months.
  
  [Other Info]
  
-  * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11)
+  * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11)
  depends on libqt5webkit5
  
-  * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-
+  * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-
  security-updates/

** Summary changed:

- CRITICAL: please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependancy

** Summary changed:

- [SRU] please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependency

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  [SRU] please remove libqt5webkit dependency

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Will Cooke]

** Changed in: signon-ui (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: signon-ui (Ubuntu Xenial)
 Assignee: (unassigned) => Alberto Mardegan (mardy)

** Changed in: signon-ui (Ubuntu Yakkety)
 Assignee: (unassigned) => Alberto Mardegan (mardy)

** Changed in: signon-ui (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Will Cooke]

** Also affects: signon-ui (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: signon-ui (Ubuntu Yakkety)
   Importance: Medium
   Status: Fix Released

** Changed in: signon-ui (Ubuntu Xenial)
Milestone: None => ubuntu-16.04.1

** Changed in: signon-ui (Ubuntu Yakkety)
Milestone: ubuntu-16.04.1 => None

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Will Cooke]

** Changed in: signon-ui (Ubuntu)
Milestone: None => ubuntu-16.04.1

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Amr Ibrahim]

** Tags added: xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Launchpad Bug Tracker]

This bug was fixed in the package signon-ui -
0.17+16.04.20160406-0ubuntu1

---
signon-ui (0.17+16.04.20160406-0ubuntu1) xenial; urgency=medium

  [ Alberto Mardegan ]
  * Update Ubuntu.Web backend, make it the default on Unity (LP:
#1547647)

 -- David Barth   Wed, 06 Apr 2016 09:17:36
+

** Changed in: signon-ui (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Jean-Baptiste Lallement]

** Also affects: canonical-devices-system-image
   Importance: Undecided
   Status: New

** Changed in: canonical-devices-system-image
   Status: New => Confirmed

** No longer affects: canonical-devices-system-image

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Alberto Mardegan]

** Branch linked: lp:~mardy/signon-ui/no-webkit-1547647

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy

[Alberto Mardegan]

I've spent some time investigating the possibility of replacing QtWebkit with 
the Ubuntu.Web module (which internally uses Oxide), but the task looks far 
from trivial, and we should consider whether the request is worth the effort.
There are also two points to consider:
1) While indeed Oxide would be the safest bet from a security point of view, we 
use this webview for showing service login portals, which typically are safe to 
browse as they don't include third party content where malicious code could 
reside.
2) Oxide only works in x86-64, i386 and armhf architectures

Summing up, while I think we should be definitely moving towards the
goal of not using QtWebkit1, I don't see a critical urgency of doing
this for the LTS. So I'll be working on this bug as time permits, unless
of course more reasons for the urgency are given.


** Changed in: signon-ui (Ubuntu)
   Importance: Undecided => Medium

** Changed in: signon-ui (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1547647

Title:
  CRITICAL: please remove libqt5webkit dependancy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs