Bug#1057755: Qt WebEngine Security Support In Stable
- To: Soren Stoutner <soren@stoutner.com>
- Cc: Debian UBports Team <team+ubports@tracker.debian.org>, Patrick Franz <deltaone@debian.org>, Debian Release Team <debian-release@lists.debian.org>, 1057755@bugs.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Dmitry Shachnev <mitya57@debian.org>, Debian Security Team <security@debian.org>, Pirate Praveen <praveen@debian.org>, Nilesh Patra <nilesh@debian.org>, Aurélien COUDERC <coucouf@debian.org>, Fritz Reichwald <reichwald@b1-systems.de>, Mike Gabriel <sunweaver@debian.org>, Thomas Goirand <thomas@goirand.fr>
- Subject: Bug#1057755: Qt WebEngine Security Support In Stable
- From: Adrian Bunk <bunk@debian.org>
- Date: Thu, 14 Dec 2023 14:15:17 +0200
- Message-id: <[🔎] ZXrx1YnXXmHIlqlb@localhost>
- Reply-to: Adrian Bunk <bunk@debian.org>, 1057755@bugs.debian.org
- In-reply-to: <[🔎] 2213482.m7GEIngJ31@soren-desktop>
- References: <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com> <[🔎] 6550495.KKiVMrIYXq@soren-desktop> <ZXpXsja9/kKlaei7@localhost> <[🔎] 2213482.m7GEIngJ31@soren-desktop> <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com>
On Wed, Dec 13, 2023 at 08:49:55PM -0700, Soren Stoutner wrote:
>...
> Currently there is no real security support for Qt WebEngine in stable, which
> is an oversight that might surprise many Debian users. The purpose of this
> discussion is to figure out the best way to change that.
This is not a new discussion, and there aren't any simple solutions.
The release notes for squeeze[1] released nearly 13 years ago already
had a section on limited support for browser engines.
For web browsers, shipping the latest versions is the only workable solution.
WebKitGTK is basically the GNOME equivalent of Qt WebEngine based on a
different browser. Security support for WebKitGTK was also missing for
many years, it became feasible when upstream made commitments regarding
API/ABI compatibility and sticking to using older versions of dependencies.
Qt has nearly 30 years history of being somewhere between open source
and freemium,[2] this is not an upstream one would expect to make such
commitments.
> Shipping LTS versions
> of Qt in stable would put us in a better position than the status quo, even if
> it doesn’t get us all the way there.
>...
When a suitable version is available updating in (old)stable might be
possible, e.g. updating qtwebengine-opensource-src in stable and
oldstable might be technically feasible and rebuilding angelfish would
be unlikely to be a dealbreaker if someone wants to discuss such a
(tested!) update with the release team. The release team might or might
not agree with such an update, but this would not be the same as
providing security support for qtwebengine-opensource-src.
Your "better position" might actually be worse, far more surprising than
flagging something as unsupported from the beginning would be declaring
it supported and then dropping support after a year - what are users
supposed to do at that point?
cu
Adrian
[1] https://www.debian.org/releases/squeeze/amd64/release-notes.en.txt
[2] https://en.wikipedia.org/wiki/Qt_(software)#History_of_Qt
Reply to: