On Fri, Aug 27, 2010 at 00:01:37 -0400, Michael Gilbert wrote: > The lenny webkit package has an insurmountable number of security > vulnerabilities [0]. The version included there was of an experimental > nature, and the only front end available is the builtin GtkLauncher > app, which isn't very functional itself and is likely used by no one. > There are no reverse dependencies. > > Please remove the package for the upcoming lenny point release. I've > brought this up with the security team and webkit maintainers [1],[2], > and there has so far been no objection. However, I also didn't get > any responses either way. You may want to try to touch base with > either/both teams directly. > > I think removal is the only supportable course of action. > Talking to Mirco Bauer, maintainer of the only webkit rev-dep in lenny, a few days ago: 15:55:34 < meebey> the reason mono-tools was granted to use webkit is that mono-tools use a sane and defined subset of HTML for rendering documentation files 15:55:38 < meebey> which are only offline available [...] 15:57:30 < meebey> it can't display any content found on HTTP servers 15:57:33 < meebey> only local files 15:58:02 < meebey> and it only renders special compiled (using monodoc) files, not even simple HTML files 15:58:14 < meebey> that was the only reason it was granted to be shipped in lenny 15:58:28 < meebey> while everything else had to disable webkit usage I don't think removal makes sense, as no browser in lenny uses webkit, and if it's only used to display trusted content then I don't think the issues are so severe. Cheers, Julien
Attachment:
signature.asc
Description: Digital signature