On Thu, Sep 7 2023 at 11:29:58 AM +0800, 不会弹吉他的KK
<kai.7.k...@gmail.com> wrote:
For Yocto project whick I am working on, packages(recipes) can NOT be
updated with
major version upgrade on Yocto released products/branches. So we
still have to fix such
kind of CVEs. But for master branch, webkitgtk will be upgraded as
soon as it released.
I'm going to recommend a different approach: don't fix any CVEs and
instead prominently document that the version of WebKitGTK distributed
by Yocto does not receive security updates. It's really better to avoid
misplaced expectations; when you backport security fixes, people assume
incorrectly that the package is receiving comprehensive security
backports and is safe to use, but that's just not true. i.e. your
security updates actually harm security because they mess up users'
expectations. It's better to just be clear about it. We have this same
problem in RHEL and are slowly moving towards doing no updates there as
well.
I would recommend removing WebKitGTK and its dependencies from Yocto
altogether if they have rules that prohibit you from releasing proper
security updates just because the version number is higher. Anyway,
good luck.
Michael
_______________________________________________
webkit-gtk mailing list
webkit-gtk@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-gtk
