Bug#1034364: kde-baseapps depends on konqueror which is not security maintained

To: Bernhard Reiter <bernhard@intevation.de>
Cc: 1034364@bugs.debian.org
Subject: Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Date: Mon, 17 Apr 2023 23:55:35 -0300
Message-id: <[🔎] CA+QPbz1cWs+Cub_gF3+v5MmtBrMyQdC-35BC8f4cVWNAGSYsCg@mail.gmail.com>
Reply-to: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>, 1034364@bugs.debian.org
In-reply-to: <[🔎] 202304171734.35723.bernhard@intevation.de>
References: <[🔎] 168140553805.26983.7168838035982579062.reportbug@galene.hq.intevation.de> <CA+QPbz1yHdqKNb9NLwLkfBKnqBMmjSC9=ksm9H+O_-0gyme1jg@mail.gmail.com> <[🔎] 202304171734.35723.bernhard@intevation.de> <[🔎] 168140553805.26983.7168838035982579062.reportbug@galene.hq.intevation.de>

Hi!

On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter <bernhard@intevation.de> wrote:
>
> Hi Lisandro,
>
> thanks for your response!
>
> Am Samstag 15 April 2023 15:15:08 schrieben Sie:
> > On Thu, 13 Apr 2023 at 14:15, Bernhard Reiter <bernhard@intevation.de>
> > >    "qtwebengine-opensource-src No security support upstream and
> > >    backports not feasible, only for use on trusted content"
>
> > If we follow that reasoning we shouldn't be shipping Plasma at all, as
> > many things use Qt5's webengine.
>
> Konqueror is advertised as web browser, which means it will (offer to)
> open URLs from different sources, e.g. when clicked from emails which means
> external URLs and data.

Same goes with KMail too :-)

> Other components from plasma may not share the same exposure to outside
> data, and thus would be less vulnerable. It seems that this would warrant
> some more examination.

Whatever uses webengine/webkit/<web engine of the day> has the same
issue. Well, for as long as they are a pile of embedded code, at least
to start with.

> If it is true that other components show the same risks, then yes, I'd say
> that we should either get the security situation changed or really do not
> ship those components by default. They may risk systems like
> the dynamic loading of remote objects from java did which would be a problem
> for both Debian and upstream.

Same thing I said when I opposed packaging webengine, you see :-) But
now it is packaged, and here we are :)

> It seems to big a topic for this issue.
> What would be the right place in debian to bring this up?

Debian devel, maybe? But I did ask the same thing years ago. The reply
was "what is the difference with a PDF?" Whatever handles untrusted
code has the same issue. The only difference here is that we can not
really keep track of everything that goes on a web engine, so no
security support, which does not mean we try to apply patches if we
can.

But please feel free to do whatever you think is right. That's your
freedom, and that's good :)

-- 
Lisandro Damián Nicanor Pérez Meyer
https://perezmeyer.com.ar/

Reply to:

Follow-Ups:
- Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
  - From: Bernhard Reiter <bernhard@intevation.de>

References:
- Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
  - From: Bernhard Reiter <bernhard@intevation.de>
- Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
  - From: Bernhard Reiter <bernhard@intevation.de>

Prev by Date: Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Next by Date: Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Previous by thread: Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Next by thread: Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Index(es):
- Date
- Thread