On Mon, 21 Dec 2009 18:10:08 +0100 Yves-Alexis Perez wrote: > Michael Gilbert a écrit : > > Hi all, > > > > The number of open CVEs for webkit during lenny's lifetime so far has > > been incredibly high. Only rivaled by openjdk and the kernel (at > > times), but those seem to get updates reasonably fast even though there > > are a large number. Guisseppe has done some good work fixing a large > > number of webkit issues recently, which is great, but still another 19 > > remain. > > > > The root of this problem is that debian does not have access to apple's > > private security list [0]. The thing is that they have already offered > > access in the past (to anyone with a debian.org address) [1], but no one > > stepped up to the plate. I would take on the responsibility, but I am > > not a DD. > > > > So, I think at this point, webkit should be strongly considered for > > removal in the next lenny point release (because I don't forsee things > > getting any better any time soon), and possibly from squeeze as well. > > However, this concern could be rendered moot should someone volunteer > > to gain access to the private webkit list. > > Were the webkit maintainers aware of that proposal?
Not yet. I wanted to start a conversation with the security team first to determine a direction. The ideal solution is simple since the upstream webkit security team will grant anyone with a debian.org address access to their private security list. So, we just need someone to volunteer to do that. Any takers? Mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
