Bug#594550: RM: webkit/1.0.1-4+lenny2
On Fri, 27 Aug 2010 08:49:54 +0200, Philipp Kern wrote:
> On Fri, Aug 27, 2010 at 12:01:37AM -0400, Michael Gilbert wrote:
> > The lenny webkit package has an insurmountable number of security
> > vulnerabilities . The version included there was of an experimental
> > nature, and the only front end available is the builtin GtkLauncher
> > app, which isn't very functional itself and is likely used by no one.
> > There are no reverse dependencies.
> > Please remove the package for the upcoming lenny point release. I've
> > brought this up with the security team and webkit maintainers ,,
> > and there has so far been no objection. However, I also didn't get
> > any responses either way. You may want to try to touch base with
> > either/both teams directly.
> > I think removal is the only supportable course of action.
> The secure-testing list is inappropriate to ask the security team about a
> package in Lenny. Please use the appropriate contact and get them to reply.
I was more concerned about getting feedback from the webkit
developers. I've already talked to Moritz Muehlenhoff from the
security team about this directly.
> Some CVEs are listed as "minor issue - no DSA", so it wouldn't be valid
> to remove it for that.
Perhaps 10 of the 50 or so issues are no-dsa. I think it's valid to
remove it due to the 40 other issues.
> (Sadly it seems that there's no overview to list
> a package's vulnerabilities in Lenny at a glance?)
No, there currently isn't a straightfoward way to do that. However,
you could look at the stable overall page and count the number of
webkit issues there.
However, it seems a direct removal isn't so straightforward since there
are two reverse dependencies: mono-tools-gui and
claws-mail-extra-plugins. Note that the popcon counts are low for
those: 131  and 258  respectively. Perhaps it would be ok to
remove them as well?
Or perhaps instead there could be an end-of-life security announcement?