Re: Bug#1057755: Qt WebEngine Security Support In Stable

To: 1057755@bugs.debian.org, Alberto Garcia <berto@igalia.com>, Adrian Bunk <bunk@debian.org>
Cc: Debian UBports Team <team+ubports@tracker.debian.org>, Patrick Franz <deltaone@debian.org>, Debian Release Team <debian-release@lists.debian.org>, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Dmitry Shachnev <mitya57@debian.org>, Debian Security Team <security@debian.org>, Pirate Praveen <praveen@debian.org>, Nilesh Patra <nilesh@debian.org>, Aurélien COUDERC <coucouf@debian.org>, Fritz Reichwald <reichwald@b1-systems.de>, Mike Gabriel <sunweaver@debian.org>, Thomas Goirand <thomas@goirand.fr>
Subject: Re: Bug#1057755: Qt WebEngine Security Support In Stable
From: Soren Stoutner <soren@stoutner.com>
Date: Sat, 16 Dec 2023 13:22:13 -0700
Message-id: <[🔎] 2284927.bCeW0jVfVK@soren-desktop>
In-reply-to: <[🔎] ZXuqrbAS5RGSpReh@perseus.local>
References: <170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com> <[🔎] ZXuqrbAS5RGSpReh@perseus.local>

Alberto

On Thursday, December 14, 2023 6:23:57 PM MST Alberto Garcia wrote:
> I would like to offer my (outsider) perspective as the Debian
> WebKitGTK / WPE WebKit maintainer.

Thanks for that perspective.  It is very informative.

> - The project created a policy to support Debian and Ubuntu LTS by not
>   bumping the dependencies:

What WebKitGTK has accomplished is impressive.  Specifically, that you are able 
to release updated packages, including feature updates, cleanly into stable 
and oldstable.  As you point out, doing so with Qt WebEngine would require 
significant changes to the way upstream works.

Luckily, my intentions are much less ambitions.  I would julst like to handle 
security support for stable without adding full new feature releases.

> If you still want to give it a go maybe try updating the Qt WebEngine
> via backports first, although if that requires that the Qt / KDE
> maintainers stick to a specific LTE branch then you need to coordinate
> that with them first.

I think this is the best way forward.  Bookworm released with an LTS version 
of Qt 5 and a non-LTS version of Qt 6.  It seems it should be fairly easy to 
start maintaining proper security support for Qt 5 WebEngine through 
backports.  If we can get trixie to release with an LTS version of Qt 6, we 
can then maintain security updates for both versions of Qt.  Based on how well 
that works, we can then evaluate using the standard security infrastructure to 
handle these instead of backports.

Something similar has already been done once through a stable point release.  
Bookworm released with qtwebengine-opensource-src 5.15.8+dfsg-1, but 
5.15.13+dfsg-1~deb12u1 was later uploaded.  Perhaps Dmitry could provide some 
insight into the motivation behind the update and any difficulties that were 
encountered.

At this point, the biggest remaining question is what is the private header 
that angelfish is using in Qt WebEngine and why?  Can one of the angelfish 
maintainers or someone else familiar with the reasoning provide an 
explanation?

Thanks,

Soren

-- 
Soren Stoutner
soren@stoutner.com

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Bug#1057755: Qt WebEngine Security Support In Stable
  - From: Adrian Bunk <bunk@debian.org>

References:
- Re: Bug#1057755: Qt WebEngine Security Support In Stable
  - From: Alberto Garcia <berto@igalia.com>

Prev by Date: g2clib transition
Next by Date: Bug#1055254: marked as done (transition: dav1d)
Previous by thread: Re: Bug#1057755: Qt WebEngine Security Support In Stable
Next by thread: Re: Bug#1057755: Qt WebEngine Security Support In Stable
Index(es):
- Date
- Thread