Release notes entry for web browser security support
as discussed before
we need to document the de-facto status of Squeeze browser support
in the release notes. Proposed text below.
Any objections and/or spelling improvements by native speakers?
[Webkit, Chromium and KDE maintainers CC.]
State of browser support
Debian Squeeze includes several browser engines which are affected by a frequent
stream of security vulnerabilities. The high rate of vulnerabilities
and lack of upstream support in the form of long term branches make it
close to impossible to support these browsers with backported security
fixes. Additionally, library interdepencies make it impossible to update to newer
upstream releases. As such, browsers built upon the webkit, qtwebkit
and khtml engines are included in Squeeze, but not covered by full security
support. We will make an effort to track down and backport security fixes,
but in general these browsers should not be used against untrusted websites.
For general web browser use we recommend browsers building on the
Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner
has had a history of good backportability for older releases over the
previous release cycles.
Chromium - while build upon the Webkit codebase - is a leaf package, i.e.
if backporting becomes no longer feasible, there's still the possibility of
upgrading to a later upstream release (which is not possible for the
webkit library itself).