On 2021-07-07 13:01:32 +0200, Alberto Garcia wrote: > On Wed, Jul 07, 2021 at 11:53:16AM +0200, Moritz Muehlenhoff wrote: > > > What's the security team's take on this? Will browsers other than > > > firefox, chromium and webkit2gtk itself be security supported > > > throughout bullseye's lifetime? > > > > We synced up with this before; wpewebkit is closely related to > > webkit and Alberto will keep both updated in stable. > > As I said wpewebkit and webkit2gtk releases are made almost in > parallel, the numbering scheme, etc., is almost identical and they > have joint security advisories[1]. A longer term upstream goal would > be to merge both projects and make the GTK API a layer on top of > wpewebkit, but this is not currently on the roadmap. > > At the moment doing an additional security release for wpewebkit is > going to be little more than adapting the webkit2gtk advisory. ACK, then please send a (filtered) debdiff for wpewebkit to the bug report so that we can look at unblocking it. Cheers > > > > The concern also extends to web rendering engines not explicitly > > > mentioned here, with the exception of <systemitem > > > role="source">webkit2gtk</systemitem>. > > > > Good point wrt the releases notes part. I guess we should simply > > make this "with the exception of webkit2gtk/wpewebkit". Alberto, > > could you file a bug against the release notes? > > Yes, but thinking about it there is something new in bullseye and I > would like to discuss it because it affects webkit2gtk as well. > > The WPE WebKit project has a couple of additional libraries > called libwpe and wpebackend-fdo. They are used by wpewebkit and, > since a couple of years ago, also by webkit2gtk to implement > hardware-accelerated rendering under Wayland. In the case of > webkit2gtk this dependency is optional but recommended. > > The buster builds of webkit2gtk are made with all wpe libraries > disabled because those packages were never available in buster in the > first place. In bullseye they are enabled so any security update for > bullseye would need to have them enabled as well. > > Both libwpe and wpebackend-fdo are projects with little activity > and generally few and small changes. I don't expect that building > the latest version of webkit2gtk or wpewebkit for a security update > requires updating any of those libraries, but I think it can > theoretically happen. Is there a way to handle that in Debian? > > Berto > > [1] https://lists.webkit.org/pipermail/webkit-gtk/2021-March/003689.html > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature