Bug#990754: unblock: wpewebkit/2.32.1-1

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Sebastian Ramacher <sramacher@debian.org>, 990754@bugs.debian.org, team@security.debian.org
Subject: Bug#990754: unblock: wpewebkit/2.32.1-1
From: Alberto Garcia <berto@igalia.com>
Date: Wed, 7 Jul 2021 13:01:32 +0200
Message-id: <[🔎] 20210707110132.GA31519@igalia.com>
Reply-to: Alberto Garcia <berto@igalia.com>, 990754@bugs.debian.org
In-reply-to: <[🔎] 20210707095316.zi6g4ldefaftnktw@inutil.org>
References: <[🔎] 162556321092.12627.9874716470559990931.reportbug@perseus.local> <[🔎] YOS4+K4rrgxsJfl6@ramacher.at> <[🔎] 20210707095316.zi6g4ldefaftnktw@inutil.org> <[🔎] 162556321092.12627.9874716470559990931.reportbug@perseus.local>

On Wed, Jul 07, 2021 at 11:53:16AM +0200, Moritz Muehlenhoff wrote:
> > What's the security team's take on this? Will browsers other than
> > firefox, chromium and webkit2gtk itself be security supported
> > throughout bullseye's lifetime?
> 
> We synced up with this before; wpewebkit is closely related to
> webkit and Alberto will keep both updated in stable.

As I said wpewebkit and webkit2gtk releases are made almost in
parallel, the numbering scheme, etc., is almost identical and they
have joint security advisories[1]. A longer term upstream goal would
be to merge both projects and make the GTK API a layer on top of
wpewebkit, but this is not currently on the roadmap.

At the moment doing an additional security release for wpewebkit is
going to be little more than adapting the webkit2gtk advisory.

> > The concern also extends to web rendering engines not explicitly
> >     mentioned here, with the exception of <systemitem
> >     role="source">webkit2gtk</systemitem>.
> 
> Good point wrt the releases notes part. I guess we should simply
> make this "with the exception of webkit2gtk/wpewebkit". Alberto,
> could you file a bug against the release notes?

Yes, but thinking about it there is something new in bullseye and I
would like to discuss it because it affects webkit2gtk as well.

The WPE WebKit project has a couple of additional libraries
called libwpe and wpebackend-fdo. They are used by wpewebkit and,
since a couple of years ago, also by webkit2gtk to implement
hardware-accelerated rendering under Wayland. In the case of
webkit2gtk this dependency is optional but recommended.

The buster builds of webkit2gtk are made with all wpe libraries
disabled because those packages were never available in buster in the
first place. In bullseye they are enabled so any security update for
bullseye would need to have them enabled as well.

Both libwpe and wpebackend-fdo are projects with little activity
and generally few and small changes. I don't expect that building
the latest version of webkit2gtk or wpewebkit for a security update
requires updating any of those libraries, but I think it can
theoretically happen. Is there a way to handle that in Debian?

Berto

[1] https://lists.webkit.org/pipermail/webkit-gtk/2021-March/003689.html

Reply to:

Follow-Ups:
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Sebastian Ramacher <sramacher@debian.org>

References:
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Alberto Garcia <berto@igalia.com>
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#990754: unblock: wpewebkit/2.32.1-1
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#990754: unblock: wpewebkit/2.32.1-1
Next by Date: Bug#990785: unblock: linuxptp/3.1-2.1
Previous by thread: Bug#990754: unblock: wpewebkit/2.32.1-1
Next by thread: Bug#990754: unblock: wpewebkit/2.32.1-1
Index(es):
- Date
- Thread