Hi, Qtwebkit has been unmaintained for a long time (last release from annulen's fork was almost 3 years ago) and is plagued with security issues by now. Most consumers are either dead upstream, of they use it to provide optional functionality that can be disabled at build time. I propose to drop it from our repos, together with all packages which use it non-optionally. Other distros such as Opensuse and Gentoo have done it already. If there are no objections, I will open a todo list to disable the dependency in all packages where it's possible, and otherwise drop them.
Antonio Rojas <arojas@archlinux.org> on Wed, 2022/11/09 17:34:
Hi, Qtwebkit has been unmaintained for a long time (last release from annulen's fork was almost 3 years ago) and is plagued with security issues by now. Most consumers are either dead upstream, of they use it to provide optional functionality that can be disabled at build time. I propose to drop it from our repos, together with all packages which use it non-optionally. Other distros such as Opensuse and Gentoo have done it already. If there are no objections, I will open a todo list to disable the dependency in all packages where it's possible, and otherwise drop them.
Just to be sure... We speak about package 'qt5-webkit' here? -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
El miércoles, 9 de noviembre de 2022 21:52:48 (CET) Christian Hesse escribió:
Just to be sure... We speak about package 'qt5-webkit' here?
Correct
On 11/9/22 17:34, Antonio Rojas wrote:
Hi, Qtwebkit has been unmaintained for a long time (last release from annulen's fork was almost 3 years ago) and is plagued with security issues by now. Most consumers are either dead upstream, of they use it to provide optional functionality that can be disabled at build time. I propose to drop it from our repos, together with all packages which use it non-optionally. Other distros such as Opensuse and Gentoo have done it already. If there are no objections, I will open a todo list to disable the dependency in all packages where it's possible, and otherwise drop them.
That would be a quite good step, it's really old and piling up on problems facing a lot of untrusted data. huge +1 Thanks a lot for bringing this up and taking care of the todo. Cheers, Levente
El miércoles, 9 de noviembre de 2022 17:34:44 (CET) Antonio Rojas escribió:
If there are no objections, I will open a todo list to disable the dependency in all packages where it's possible, and otherwise drop them.
This turned out to be less problematic than expected. Many of the dependants already support webengine via configure switches or upstream patches and could be ported, others weren't really using it and just had a leftover dependency. After porting all these and removing the dependency where it was optional, these are the remaining users: acetoneiso2: last release 12 years ago, was never officially ported to Qt5 quiterss: no porting efforts have been started https://github.com/QuiteRSS/quiterss/issues/909 smtube: our announcement triggered some work to port it to webengine, but doesn't seem it will be finished any time soon https://github.com/smplayer-dev/smtube/pull/21 swift-im: dead for 4 years wkhtmltopdf: pretty much dead https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5160 Any objections to dropping all of them?
Le jeudi 17 novembre 2022, 20:07:01 CET Antonio Rojas a écrit :
El miércoles, 9 de noviembre de 2022 17:34:44 (CET) Antonio Rojas escribió:
If there are no objections, I will open a todo list to disable the dependency in all packages where it's possible, and otherwise drop them. This turned out to be less problematic than expected. Many of the dependants already support webengine via configure switches or upstream patches and could be ported, others weren't really using it and just had a leftover dependency. After porting all these and removing the dependency where it was optional, these are the remaining users:
acetoneiso2: last release 12 years ago, was never officially ported to Qt5 Can be safely dropped quiterss: no porting efforts have been started https://github.com/QuiteRSS/quiterss/issues/909 smtube: our announcement triggered some work to port it to webengine, but doesn't seem it will be finished any time soon https://github.com/smplayer-dev/smtube/pull/21 swift-im: dead for 4 years wkhtmltopdf: pretty much dead https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5160
Any objections to dropping all of them?
++
El jueves, 17 de noviembre de 2022 20:07:01 (CET) Antonio Rojas escribió:
Any objections to dropping all of them?
All gone.
participants (4)
-
Antonio Rojas
-
Christian Hesse
-
Laurent Carlier
-
Levente Polyak