Hey Dmitry,
On Fri, Jul 07, 2017 at 02:28:25PM +0300, Dmitry Shachnev wrote:
> Control: severity -1 important
>
> Hi Florian!
>
> On Fri, Jul 07, 2017 at 12:59:09PM +0200, Florian Bruhin wrote:
> > I'll have to disagree with this being a "wishlist" bug - Security wise,
> > the old QtWebKit is worse than WebKitGTK 2.4, which gets dropped from
> > buster[4] - we're talking about ~3 years of delta from upstream WebKit,
> > including all security fixes in that timespan, which are missing from
> > the current QtWebKit package. Even if Debian doesn't intend to provide
> > security support[5] for QtWebKit, there are various packages depending
> > on it which deal with untrusted input.
>
> I absolutely agree. Bumping the bug severity to important.
>
> However as I said, we need to focus on Qt 5.7.1 → 5.9.1 transition now,
> which still has some blockers. After the transition is done, we will be
> able to do some other Qt tasks not directly related to upgrade, i.e.
> updating QtWebKit or building QtBase with GL ES support on AArch64.
>
> I hope we will do the transition within a couple of weeks, but it depends
> on my time and amount of other tasks.
Sure, I agree keeping Qt up to date is also important - hope everything
goes well with that. Thank you! :)
Florian
--
https://www.qutebrowser.org | me@the-compiler.org (Mail/XMPP)
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
Attachment:
signature.asc
Description: PGP signature