Public bug reported:

Recently, Ubuntu released a security update for Ubuntu 16.04 LTS
upgrading webkit2gtk (WK2) from 2.10.9 to 2.12.5. WK2 roughly follows
the GNOME release cycle and released 2.14.0 this week. Based on previous
updates, we can expect a security advisory for this update to be
published soon.

Therefore, I'd like to go ahead and sync webkit2gtk 2.14.0-1 from Debian
to yakkety now. Because it's a security-related update where the
security improvements can't be easily split out, I don't believe it
needs a Feature Freeze exception.

Testing I've done:
- I've been running 2.13 development releases for a few weeks.
- The package has built successfully on Debian on all architectures Ubuntu 
cares about:
https://buildd.debian.org/status/package.php?p=webkit2gtk
- 2.14.0 has been pushed to the GNOME3 Staging PPA for yakkety (which also 
includes GTK 3.22)
- I built 2.14 in my yakkety PPA for all normal PPA architectures (this PPA 
does not use GTK 3.22 or have other odd dependency changes)
https://launchpad.net/~jbicha/+archive/ubuntu/arch/+packages
- I tested Tuesday's daily Ubuntu (Unity) iso with the updated WK2 packages and 
ensured the slideshow works fine (because 2.12.4 had a regression there, see 
bug 1618956 )
- There are three GNOME apps that use WK2's unstable DOM API: epiphany-browser, 
evolution and yelp. The unstable API is scheduled to be removed early in the 
2.16 cycle so this soon won't be an issue.

Without rebuilding, yakkety's epiphany, evolution and yelp work fine. I
intend to package Evolution 3.22 (yakkety currently has 3.21.91) once
wk2 is in yakkety. The evolution package currently has a patch to revert
the switch to the 2.14 API and it would be nice to be able to drop this
patch instead of having to update it again.

I'd like to update Epiphany to 3.22 too. I'm hoping it can fall under
the standing UIFE/FF exception granted to other browsers like Chromium
and Firefox.

References
==========
https://tracker.debian.org/pkg/webkit2gtk

https://tracker.debian.org/media/packages/w/webkit2gtk/changelog-2.14.0-1

https://webkitgtk.org/news.html

https://blogs.igalia.com/carlosgc/2016/09/20/webkitgtk-2-14/

https://blogs.gnome.org/mcatanzaro/2016/09/19/epiphany-3-22-and-a
-couple-new-stable-releases-too/

https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22

http://www.ubuntu.com/usn/usn-3079-1/

** Affects: epiphany-browser (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: webkit2gtk (Ubuntu)
     Importance: Wishlist
         Status: New


** Tags: upgrade-software-version

** Also affects: epiphany-browser (Ubuntu)
   Importance: Undecided
       Status: New

** Description changed:

  Recently, Ubuntu released a security update for Ubuntu 16.04 LTS
  upgrading webkit2gtk (WK2) from 2.10.9 to 2.12.5. WK2 roughly follows
  the GNOME release cycle and released 2.14.0 this week. Based on previous
  updates, we can expect a security advisory for this update to be
  published soon.
  
  Therefore, I'd like to go ahead and sync webkit2gtk 2.14.0-1 from Debian
  to yakkety now. Because it's a security-related update where the
  security improvements can't be easily split out, I don't believe it
  needs a Feature Freeze exception.
  
  Testing I've done:
  - I've been running 2.13 development releases for a few weeks.
  - The package has built successfully on Debian on all architectures Ubuntu 
cares about:
  https://buildd.debian.org/status/package.php?p=webkit2gtk
  - 2.14.0 has been pushed to the GNOME3 Staging PPA for yakkety (which also 
includes GTK 3.22)
  - I built 2.14 in my yakkety PPA for all normal PPA architectures (this PPA 
does not use GTK 3.22 or have other odd dependency changes)
  https://launchpad.net/~jbicha/+archive/ubuntu/arch/+packages
  - I tested Tuesday's daily Ubuntu (Unity) iso with the updated WK2 packages 
and ensured the slideshow works fine (because 2.12.4 had a regression there, 
see bug 1618956 )
  - There are three GNOME apps that use WK2's unstable DOM API: 
epiphany-browser, evolution and yelp. The unstable API is scheduled to be 
removed early in the 2.16 cycle so this soon won't be an issue.
  
  Without rebuilding, yakkety's epiphany, evolution and yelp work fine. I
  intend to package Evolution 3.22 (yakkety currently has 3.21.91) once
  wk2 is in yakkety. The evolution package currently has a patch to revert
  the switch to the 2.14 API and it would be nice to be able to drop this
  patch instead of having to update it again.
  
  I'd like to update Epiphany to 3.22 too. I'm hoping it can fall under
  the standing UIFE/FF exception granted to other browsers like Chromium
  and Firefox.
  
  References
  ==========
+ https://tracker.debian.org/pkg/webkit2gtk
+ 
+ https://tracker.debian.org/media/packages/w/webkit2gtk/changelog-2.14.0-1
+ 
  https://webkitgtk.org/news.html
  
  https://blogs.igalia.com/carlosgc/2016/09/20/webkitgtk-2-14/
  
  https://blogs.gnome.org/mcatanzaro/2016/09/19/epiphany-3-22-and-a
  -couple-new-stable-releases-too/
  
  https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22
  
  http://www.ubuntu.com/usn/usn-3079-1/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1625897

Title:
  Update webkitgtk to 2.14.0 in yakkety

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/epiphany-browser/+bug/1625897/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to