On 2021-07-07 11:53:16 +0200, Moritz Muehlenhoff wrote: > On Tue, Jul 06, 2021 at 10:11:36PM +0200, Sebastian Ramacher wrote: > > Control: tags -1 moreinfo > > > > On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote: > > > Package: release.debian.org > > > Severity: normal > > > User: release.debian.org@packages.debian.org > > > Usertags: unblock > > > > > > Please unblock package wpewebkit > > > > > > webkit2gtk was unblocked last month, testing has the most recent > > > stable version and we will provide security updates during the > > > lifetime of bullseye, as we already did during buster. > > > > > > wpewebkit is another official port of webkit. It's maintained by the > > > same team, follows a very similar release schedule and numbering > > > system, shares most of the code and almost all CVEs fixes apply to > > > both ports. > > > > > > Because of this it won't take me too much effort to prepare security > > > updates for wpewebkit so the Debian security team is proposing that we > > > also provide them. > > > > > > If we do this we should unblock the package and put the latest stable > > > version in testing. At the moment the only user of wpewebkit in Debian > > > is cog, which is a simple, single-window web browser, developed and > > > released by the same team. So we should also unblock cog and the two > > > other libraries that are part of the wpewebkit releases: libwpe and > > > wpebackend-fdo (I don't know if you need separate bugs to unblock > > > those). > > > > > > If we don't do this then it's probably a good idea to mention in the > > > release notes that wpewebkit is not covered by security updates. > > > > What's the security team's take on this? Will browsers other than firefox, > > chromium and webkit2gtk itself be security supported throughout bullseye's > > lifetime? > > We synced up with this before; wpewebkit is closely related to webkit and > Alberto will keep both updated in stable. Is this also the plan for cog, wpebackend-fdo and libwpe? Cheers > > > The concern also extends to web rendering engines not explicitly > > mentioned here, with the exception of <systemitem > > role="source">webkit2gtk</systemitem>. > > Good point wrt the releases notes part. I guess we should simply > make this "with the exception of webkit2gtk/wpewebkit". Alberto, could > you file a bug against the release notes? > > Cheers, > Moritz > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature