Hello list, WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs have accumulated. The last release fixing CVEs, 2.4.10, only fixed about half the vulnerabilities known, and that release was only made because 2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working HTML renderer. For more information about the WebKit situation, take a look at https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ We currently have the following packages depending on webkitgtk: webkitgtk ├─balsa ├─eclipse-common │ ├─eclipse-cpp │ ├─eclipse-java │ ├─eclipse-jee │ └─eclipse-php ├─empathy ├─geary ├─gnome-web-photo ├─gtkpod ├─liferea ├─midori ├─uzbl-core │ └─uzbl-browser │ └─uzbl-tabbed ├─variety ├─webkitgtk-sharp │ └─sparkleshare └─xombrero And, for webkitgtk2: webkitgtk2 ├─atril ├─boinc ├─codeblocks ├─dwb ├─geany-plugins ├─gnucash ├─gphpedit ├─guitarix2 ├─java-openjfx │ └─pdfsam ├─java-openjfx-doc ├─java-openjfx-src ├─luakit ├─midori-gtk2 ├─moneymanagerex ├─osmo ├─pan ├─perl-gtk2-webkit ├─python2-deepin-utils │ └─python2-deepin-ui │ ├─deepin-game │ └─deepin-music ├─pywebkitgtk │ ├─python2-deepin-ui │ ├─python2-deepin-utils │ ├─python2-jswebkit │ │ └─deepin-game │ └─screenlets │ └─screenlets-pack-basic ├─surf └─webkit-sharp ├─blam └─mono-tools To protect our users we should try to limit the packages using webkitgtk(2)., with the goal of eventually getting rid of it completely. I propose making a TODO that covers all these packages, with the following policy: - If it can be updated to webkit2gtk, do so. - Otherwise, if WebKit is an optional dependency, build without it. - Otherwise, consider removing the package, especially if it's a browser. Thoughts? Greetings, Jan