[arch-dev-public] Phasing out webkitgtk{,2}

Jan Alexander Steffens jan.steffens at gmail.com
Wed Jan 18 22:42:38 UTC 2017

Hello list,

WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs
have accumulated. The last release fixing CVEs, 2.4.10, only fixed about
half the vulnerabilities known, and that release was only made because
2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working
HTML renderer.

For more information about the WebKit situation, take a look at

We currently have the following packages depending on webkitgtk:

│ ├─eclipse-cpp
│ ├─eclipse-java
│ ├─eclipse-jee
│ └─eclipse-php
│ └─uzbl-browser
│   └─uzbl-tabbed
│ └─sparkleshare

And, for webkitgtk2:

│ └─pdfsam
│ └─python2-deepin-ui
│   ├─deepin-game
│   └─deepin-music
│ ├─python2-deepin-ui
│ ├─python2-deepin-utils
│ ├─python2-jswebkit
│ │ └─deepin-game
│ └─screenlets
│   └─screenlets-pack-basic

To protect our users we should try to limit the packages using
webkitgtk(2)., with the goal of eventually getting rid of it completely. I
propose making a TODO that covers all these packages, with the following

   - If it can be updated to webkit2gtk, do so.
   - Otherwise, if WebKit is an optional dependency, build without it.
   - Otherwise, consider removing the package, especially if it's a browser.



More information about the arch-dev-public mailing list