[2017-01-18 22:42:38 +0000] Jan Alexander Steffens via arch-dev-public:
WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs have accumulated. The last release fixing CVEs, 2.4.10, only fixed about half the vulnerabilities known, and that release was only made because 2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working HTML renderer.
For more information about the WebKit situation, take a look at https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
We currently have the following packages depending on webkitgtk:
webkitgtk ├─balsa ├─eclipse-common │ ├─eclipse-cpp │ ├─eclipse-java │ ├─eclipse-jee │ └─eclipse-php ├─empathy ├─geary ├─gnome-web-photo ├─gtkpod ├─liferea ├─midori ├─uzbl-core │ └─uzbl-browser │ └─uzbl-tabbed ├─variety ├─webkitgtk-sharp │ └─sparkleshare └─xombrero
And, for webkitgtk2:
webkitgtk2 ├─atril ├─boinc ├─codeblocks ├─dwb ├─geany-plugins ├─gnucash ├─gphpedit ├─guitarix2 ├─java-openjfx │ └─pdfsam ├─java-openjfx-doc ├─java-openjfx-src ├─luakit ├─midori-gtk2 ├─moneymanagerex ├─osmo ├─pan ├─perl-gtk2-webkit ├─python2-deepin-utils │ └─python2-deepin-ui │ ├─deepin-game │ └─deepin-music ├─pywebkitgtk │ ├─python2-deepin-ui │ ├─python2-deepin-utils │ ├─python2-jswebkit │ │ └─deepin-game │ └─screenlets │ └─screenlets-pack-basic ├─surf └─webkit-sharp ├─blam └─mono-tools
To protect our users we should try to limit the packages using webkitgtk(2)., with the goal of eventually getting rid of it completely. I propose making a TODO that covers all these packages, with the following policy:
- If it can be updated to webkit2gtk, do so. - Otherwise, if WebKit is an optional dependency, build without it. - Otherwise, consider removing the package, especially if it's a browser.
Thoughts?
Sounds good to me. I know many of us won't be happy to see packages we rely on dropped to the AUR, but it's either that or a myriad of security holes: the choice is clear to me. Cheers. -- Gaetan