Bug#990754: unblock: wpewebkit/2.32.1-1

To: Sebastian Ramacher <sramacher@debian.org>
Cc: Alberto Garcia <berto@igalia.com>, 990754@bugs.debian.org, team@security.debian.org
Subject: Bug#990754: unblock: wpewebkit/2.32.1-1
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 7 Jul 2021 11:53:16 +0200
Message-id: <[🔎] 20210707095316.zi6g4ldefaftnktw@inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 990754@bugs.debian.org
In-reply-to: <[🔎] YOS4+K4rrgxsJfl6@ramacher.at>
References: <[🔎] 162556321092.12627.9874716470559990931.reportbug@perseus.local> <[🔎] YOS4+K4rrgxsJfl6@ramacher.at> <[🔎] 162556321092.12627.9874716470559990931.reportbug@perseus.local>

On Tue, Jul 06, 2021 at 10:11:36PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
> 
> On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock package wpewebkit
> > 
> > webkit2gtk was unblocked last month, testing has the most recent
> > stable version and we will provide security updates during the
> > lifetime of bullseye, as we already did during buster.
> > 
> > wpewebkit is another official port of webkit. It's maintained by the
> > same team, follows a very similar release schedule and numbering
> > system, shares most of the code and almost all CVEs fixes apply to
> > both ports.
> > 
> > Because of this it won't take me too much effort to prepare security
> > updates for wpewebkit so the Debian security team is proposing that we
> > also provide them.
> > 
> > If we do this we should unblock the package and put the latest stable
> > version in testing. At the moment the only user of wpewebkit in Debian
> > is cog, which is a simple, single-window web browser, developed and
> > released by the same team. So we should also unblock cog and the two
> > other libraries that are part of the wpewebkit releases: libwpe and
> > wpebackend-fdo (I don't know if you need separate bugs to unblock
> > those).
> > 
> > If we don't do this then it's probably a good idea to mention in the
> > release notes that wpewebkit is not covered by security updates.
> 
> What's the security team's take on this? Will browsers other than firefox,
> chromium and webkit2gtk itself be security supported throughout bullseye's
> lifetime?

We synced up with this before; wpewebkit is closely related to webkit and
Alberto will keep both updated in stable.

> The concern also extends to web rendering engines not explicitly
>     mentioned here, with the exception of <systemitem
>     role="source">webkit2gtk</systemitem>.

Good point wrt the releases notes part. I guess we should simply
make this "with the exception of webkit2gtk/wpewebkit". Alberto, could
you file a bug against the release notes?

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Alberto Garcia <berto@igalia.com>
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Alberto Garcia <berto@igalia.com>
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Sebastian Ramacher <sramacher@debian.org>

References:
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Alberto Garcia <berto@igalia.com>
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Sebastian Ramacher <sramacher@debian.org>

Prev by Date: Bug#990778: unblock: whois/5.5.10
Next by Date: Bug#990754: unblock: wpewebkit/2.32.1-1
Previous by thread: Bug#990754: unblock: wpewebkit/2.32.1-1
Next by thread: Bug#990754: unblock: wpewebkit/2.32.1-1
Index(es):
- Date
- Thread