[arch-dev-public] Phasing out webkitgtk{,2}

Gaetan Bisson bisson at archlinux.org
Thu Jan 19 00:12:16 UTC 2017


[2017-01-18 22:42:38 +0000] Jan Alexander Steffens via arch-dev-public:
> WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs
> have accumulated. The last release fixing CVEs, 2.4.10, only fixed about
> half the vulnerabilities known, and that release was only made because
> 2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working
> HTML renderer.
> 
> For more information about the WebKit situation, take a look at
> https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/
> 
> We currently have the following packages depending on webkitgtk:
> 
> webkitgtk
> ├─balsa
> ├─eclipse-common
> │ ├─eclipse-cpp
> │ ├─eclipse-java
> │ ├─eclipse-jee
> │ └─eclipse-php
> ├─empathy
> ├─geary
> ├─gnome-web-photo
> ├─gtkpod
> ├─liferea
> ├─midori
> ├─uzbl-core
> │ └─uzbl-browser
> │   └─uzbl-tabbed
> ├─variety
> ├─webkitgtk-sharp
> │ └─sparkleshare
> └─xombrero
> 
> And, for webkitgtk2:
> 
> webkitgtk2
> ├─atril
> ├─boinc
> ├─codeblocks
> ├─dwb
> ├─geany-plugins
> ├─gnucash
> ├─gphpedit
> ├─guitarix2
> ├─java-openjfx
> │ └─pdfsam
> ├─java-openjfx-doc
> ├─java-openjfx-src
> ├─luakit
> ├─midori-gtk2
> ├─moneymanagerex
> ├─osmo
> ├─pan
> ├─perl-gtk2-webkit
> ├─python2-deepin-utils
> │ └─python2-deepin-ui
> │   ├─deepin-game
> │   └─deepin-music
> ├─pywebkitgtk
> │ ├─python2-deepin-ui
> │ ├─python2-deepin-utils
> │ ├─python2-jswebkit
> │ │ └─deepin-game
> │ └─screenlets
> │   └─screenlets-pack-basic
> ├─surf
> └─webkit-sharp
>   ├─blam
>   └─mono-tools
> 
> To protect our users we should try to limit the packages using
> webkitgtk(2)., with the goal of eventually getting rid of it completely. I
> propose making a TODO that covers all these packages, with the following
> policy:
> 
>    - If it can be updated to webkit2gtk, do so.
>    - Otherwise, if WebKit is an optional dependency, build without it.
>    - Otherwise, consider removing the package, especially if it's a browser.
> 
> Thoughts?

Sounds good to me.

I know many of us won't be happy to see packages we rely on dropped to
the AUR, but it's either that or a myriad of security holes: the choice
is clear to me.

Cheers.



-- 
Gaetan


More information about the arch-dev-public mailing list