[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Description changed: - signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends - on libqt5webkit5 + [Impact] - https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security- - updates/ + * When declaring online accounts for use by Ubuntu, the system uses a + webview to authenticate to online services like Facebook or Google. + * On X11 desktops, that webview currently uses an old qt5webkit + component that is now unmaintained - Can it be resolved so new LTS wont be released with known webkit1 bugs/security exploits? + * Backporting this fix will simplify the maintenance work, by removing + the need for that old component, and will improve the coherence of the + system by using a supported Oxide webview + + [Test Case] + + To verify the change: + + * Go to system settings > Online Accounts + * Add account of type Google, Facebook or Twitter (which uses webview for authentication) + * Verify that a webview opens to log onto the online service + * Verify that the account is listed in the account list at the end of this process + * Verify that the related apps and services can use the online account as before (ie Shotwell photo uploads, Photos scope, etc.) + + [Regression Potential] + + * On architectures not supported by Oxide, namely ppc64el and s390x, + the change will trigger a runtime error when trying to use that part of + signon-ui. + + * The problem affects users of Ubuntu desktop systems based on X11. The + change is already in effect on Unity8/Mir devices for a few months. + + [Other Info] + + * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) + depends on libqt5webkit5 + + * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit- + security-updates/ ** Description changed: + This is an SRU request, based on the process documented at + https://wiki.ubuntu.com/StableReleaseUpdates + + [Impact] - * When declaring online accounts for use by Ubuntu, the system uses a + * When declaring online accounts for use by Ubuntu, the system uses a webview to authenticate to online services like Facebook or Google. - * On X11 desktops, that webview currently uses an old qt5webkit + * On X11 desktops, that webview currently uses an old qt5webkit component that is now unmaintained - * Backporting this fix will simplify the maintenance work, by removing + * Backporting this fix will simplify the maintenance work, by removing the need for that old component, and will improve the coherence of the system by using a supported Oxide webview [Test Case] To verify the change: - * Go to system settings > Online Accounts - * Add account of type Google, Facebook or Twitter (which uses webview for authentication) - * Verify that a webview opens to log onto the online service - * Verify that the account is listed in the account list at the end of this process - * Verify that the related apps and services can use the online account as before (ie Shotwell photo uploads, Photos scope, etc.) + * Go to system settings > Online Accounts + * Add account of type Google, Facebook or Twitter (which uses webview for authentication) + * Verify that a webview opens to log onto the online service + * Verify that the account is listed in the account list at the end of this process + * Verify that the related apps and services can use the online account as before (ie Shotwell photo uploads, Photos scope, etc.) [Regression Potential] - * On architectures not supported by Oxide, namely ppc64el and s390x, + * On architectures not supported by Oxide, namely ppc64el and s390x, the change will trigger a runtime error when trying to use that part of signon-ui. - * The problem affects users of Ubuntu desktop systems based on X11. The + * The problem affects users of Ubuntu desktop systems based on X11. The change is already in effect on Unity8/Mir devices for a few months. [Other Info] - * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) + * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends on libqt5webkit5 - * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit- + * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit- security-updates/ ** Summary changed: - CRITICAL: please remove libqt5webkit dependancy + [SRU] please remove libqt5webkit dependancy ** Summary changed: - [SRU] please remove libqt5webkit dependancy + [SRU] please remove libqt5webkit dependency -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: [SRU] please remove libqt5webkit dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Changed in: signon-ui (Ubuntu Xenial) Status: New => In Progress ** Changed in: signon-ui (Ubuntu Xenial) Assignee: (unassigned) => Alberto Mardegan (mardy) ** Changed in: signon-ui (Ubuntu Yakkety) Assignee: (unassigned) => Alberto Mardegan (mardy) ** Changed in: signon-ui (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Also affects: signon-ui (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: signon-ui (Ubuntu Yakkety) Importance: Medium Status: Fix Released ** Changed in: signon-ui (Ubuntu Xenial) Milestone: None => ubuntu-16.04.1 ** Changed in: signon-ui (Ubuntu Yakkety) Milestone: ubuntu-16.04.1 => None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Changed in: signon-ui (Ubuntu) Milestone: None => ubuntu-16.04.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Tags added: xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
This bug was fixed in the package signon-ui - 0.17+16.04.20160406-0ubuntu1 --- signon-ui (0.17+16.04.20160406-0ubuntu1) xenial; urgency=medium [ Alberto Mardegan ] * Update Ubuntu.Web backend, make it the default on Unity (LP: #1547647) -- David BarthWed, 06 Apr 2016 09:17:36 + ** Changed in: signon-ui (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Also affects: canonical-devices-system-image Importance: Undecided Status: New ** Changed in: canonical-devices-system-image Status: New => Confirmed ** No longer affects: canonical-devices-system-image -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
** Branch linked: lp:~mardy/signon-ui/no-webkit-1547647 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1547647] Re: CRITICAL: please remove libqt5webkit dependancy
I've spent some time investigating the possibility of replacing QtWebkit with the Ubuntu.Web module (which internally uses Oxide), but the task looks far from trivial, and we should consider whether the request is worth the effort. There are also two points to consider: 1) While indeed Oxide would be the safest bet from a security point of view, we use this webview for showing service login portals, which typically are safe to browse as they don't include third party content where malicious code could reside. 2) Oxide only works in x86-64, i386 and armhf architectures Summing up, while I think we should be definitely moving towards the goal of not using QtWebkit1, I don't see a critical urgency of doing this for the LTS. So I'll be working on this bug as time permits, unless of course more reasons for the urgency are given. ** Changed in: signon-ui (Ubuntu) Importance: Undecided => Medium ** Changed in: signon-ui (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547647 Title: CRITICAL: please remove libqt5webkit dependancy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/signon-ui/+bug/1547647/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs