Bug#1057755: Qt WebEngine Security Support In Stable
- To: Soren Stoutner <soren@stoutner.com>
- Cc: Mike Gabriel <sunweaver@debian.org>, 1057755@bugs.debian.org, Patrick Franz <deltaone@debian.org>, Debian UBports Team <team+ubports@tracker.debian.org>, Debian Release Team <debian-release@lists.debian.org>, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Dmitry Shachnev <mitya57@debian.org>, Debian Security Team <security@debian.org>, Pirate Praveen <praveen@debian.org>, Nilesh Patra <nilesh@debian.org>, Aurélien COUDERC <coucouf@debian.org>, Fritz Reichwald <reichwald@b1-systems.de>, Thomas Goirand <thomas@goirand.fr>
- Subject: Bug#1057755: Qt WebEngine Security Support In Stable
- From: Adrian Bunk <bunk@debian.org>
- Date: Fri, 15 Dec 2023 01:19:17 +0200
- Message-id: <[🔎] ZXuNdExxINc2SIqT@localhost>
- Reply-to: Adrian Bunk <bunk@debian.org>, 1057755@bugs.debian.org
- In-reply-to: <[🔎] 4f1f9ca8-61a4-43f6-b3bc-38752dbe9161@stoutner.com>
- References: <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com> <[🔎] 4190101.1IzOArtZ34@treadstone-71> <[🔎] 1889894.itTzSnWKVK@soren-desktop> <[🔎] 20231214075802.Horde.bt03VsbWf7zcH_G4skR3c_V@mail.das-netzwerkteam.de> <[🔎] 4f1f9ca8-61a4-43f6-b3bc-38752dbe9161@stoutner.com> <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com>
On Thu, Dec 14, 2023 at 12:48:08PM -0700, Soren Stoutner wrote:
>...
> This plan does not address oldstable security support.
>...
Non-LTS oldstable is the 3rd year of stable security support,
this is required for giving users time to schedule the invasive
upgrades to a new Debian stable at a convenient time.
LTS oldstable (after regular security support has ended) is a paid
endeavour outside the scope of what Debian volunteers are expected
to support.
>...
> 3. When the LTS in stable is no longer supported, security patches can be
> backported from the current LTS to the one in stable.
>
> This sounds like a doable amount of security work and I would be willing to
> undertake it.
>...
By calling this "doable" you are demonstrating that you do not fully
grasp why browser engines are considered unsupportable.
In recent years, chromium had on average more than 1 CVE per day:
https://security-tracker.debian.org/tracker/source-package/chromium
> Soren Stoutner
cu
Adrian
Reply to: