Hi all, The number of open CVEs for webkit during lenny's lifetime so far has been incredibly high. Only rivaled by openjdk and the kernel (at times), but those seem to get updates reasonably fast even though there are a large number. Guisseppe has done some good work fixing a large number of webkit issues recently, which is great, but still another 19 remain.
The root of this problem is that debian does not have access to apple's private security list [0]. The thing is that they have already offered access in the past (to anyone with a debian.org address) [1], but no one stepped up to the plate. I would take on the responsibility, but I am not a DD. So, I think at this point, webkit should be strongly considered for removal in the next lenny point release (because I don't forsee things getting any better any time soon), and possibly from squeeze as well. However, this concern could be rendered moot should someone volunteer to gain access to the private webkit list. Best wishes, Mike [0] http://webkit.org/security/ [1] http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-August/003008.html _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
