[arch-dev-public] Phasing out webkitgtk{,2}
Jan Alexander Steffens
jan.steffens at gmail.com
Wed Jan 18 22:42:38 UTC 2017
Hello list,
WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs
have accumulated. The last release fixing CVEs, 2.4.10, only fixed about
half the vulnerabilities known, and that release was only made because
2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working
HTML renderer.
For more information about the WebKit situation, take a look at
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
We currently have the following packages depending on webkitgtk:
webkitgtk
├─balsa
├─eclipse-common
│ ├─eclipse-cpp
│ ├─eclipse-java
│ ├─eclipse-jee
│ └─eclipse-php
├─empathy
├─geary
├─gnome-web-photo
├─gtkpod
├─liferea
├─midori
├─uzbl-core
│ └─uzbl-browser
│ └─uzbl-tabbed
├─variety
├─webkitgtk-sharp
│ └─sparkleshare
└─xombrero
And, for webkitgtk2:
webkitgtk2
├─atril
├─boinc
├─codeblocks
├─dwb
├─geany-plugins
├─gnucash
├─gphpedit
├─guitarix2
├─java-openjfx
│ └─pdfsam
├─java-openjfx-doc
├─java-openjfx-src
├─luakit
├─midori-gtk2
├─moneymanagerex
├─osmo
├─pan
├─perl-gtk2-webkit
├─python2-deepin-utils
│ └─python2-deepin-ui
│ ├─deepin-game
│ └─deepin-music
├─pywebkitgtk
│ ├─python2-deepin-ui
│ ├─python2-deepin-utils
│ ├─python2-jswebkit
│ │ └─deepin-game
│ └─screenlets
│ └─screenlets-pack-basic
├─surf
└─webkit-sharp
├─blam
└─mono-tools
To protect our users we should try to limit the packages using
webkitgtk(2)., with the goal of eventually getting rid of it completely. I
propose making a TODO that covers all these packages, with the following
policy:
- If it can be updated to webkit2gtk, do so.
- Otherwise, if WebKit is an optional dependency, build without it.
- Otherwise, consider removing the package, especially if it's a browser.
Thoughts?
Greetings,
Jan
More information about the arch-dev-public
mailing list