On Mon, Dec 21, 2009 at 06:10:08PM +0100, Yves-Alexis Perez wrote: > Michael Gilbert a écrit : > > Hi all, > > > > The number of open CVEs for webkit during lenny's lifetime so far has > > been incredibly high. Only rivaled by openjdk and the kernel (at > > times), but those seem to get updates reasonably fast even though there > > are a large number. Guisseppe has done some good work fixing a large > > number of webkit issues recently, which is great, but still another 19 > > remain. > > > > The root of this problem is that debian does not have access to apple's > > private security list [0]. The thing is that they have already offered > > access in the past (to anyone with a debian.org address) [1], but no one > > stepped up to the plate. I would take on the responsibility, but I am > > not a DD. > > > > So, I think at this point, webkit should be strongly considered for > > removal in the next lenny point release (because I don't forsee things > > getting any better any time soon), and possibly from squeeze as well. > > However, this concern could be rendered moot should someone volunteer > > to gain access to the private webkit list. > > Were the webkit maintainers aware of that proposal?
No, and the main problem with webkit is that a lot of the CVE that are supposedly affecting it are OSX-only or Safari-only issues. There is a huge lack of *webkit* security tracking upstream. Gustavo, since you are involved upstream, do you know if things are moving for that ? Mike PS: removing webkit from squeeze is something that will not work. It would remove important gnome applications. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
