Control: tags -1 moreinfo
On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package wpewebkit
>
> webkit2gtk was unblocked last month, testing has the most recent
> stable version and we will provide security updates during the
> lifetime of bullseye, as we already did during buster.
>
> wpewebkit is another official port of webkit. It's maintained by the
> same team, follows a very similar release schedule and numbering
> system, shares most of the code and almost all CVEs fixes apply to
> both ports.
>
> Because of this it won't take me too much effort to prepare security
> updates for wpewebkit so the Debian security team is proposing that we
> also provide them.
>
> If we do this we should unblock the package and put the latest stable
> version in testing. At the moment the only user of wpewebkit in Debian
> is cog, which is a simple, single-window web browser, developed and
> released by the same team. So we should also unblock cog and the two
> other libraries that are part of the wpewebkit releases: libwpe and
> wpebackend-fdo (I don't know if you need separate bugs to unblock
> those).
>
> If we don't do this then it's probably a good idea to mention in the
> release notes that wpewebkit is not covered by security updates.
What's the security team's take on this? Will browsers other than firefox,
chromium and webkit2gtk itself be security supported throughout bullseye's
lifetime? I'm particularly curious because the release-notes currently
state:
<section id="browser-security">
<!-- Check if this still matches the view of the security team -->
<title>Security status of web browsers and their rendering engines</title>
<para>
Debian &release; includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of long
term branches make it very difficult to support these browsers and
engines with backported security fixes. Additionally, library
interdependencies make it extremely difficult to update to newer upstream
releases. Therefore, browsers built upon e.g. the webkit and khtml
engines<footnote><para>These engines are shipped in a number of different
source packages and the concern applies to all packages shipping
them. The concern also extends to web rendering engines not explicitly
mentioned here, with the exception of <systemitem
role="source">webkit2gtk</systemitem>.</para></footnote> are included in
&releasename;, but not
covered by security support. These browsers should not be used against
untrusted websites.
The <systemitem role="source">webkit2gtk</systemitem> source package is
covered by security support.
</para>
<para>
For general web browser use we recommend Firefox or Chromium.
They will
be kept up-to-date by rebuilding the current ESR releases for
stable.
The same strategy will be applied for Thunderbird.
</para>
</section>
If the security team extends security support to the involved packages,
then we'd want debdiffs in separate unblock bugs (except for the
upstream changes copied from webkit2gtk to wpewebkit). Also, the
release-notes need to changed accordingly.
Cheers
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature