[2017-01-18 22:42:38 +0000] Jan Alexander Steffens via arch-dev-public: > WebkitGTK+ 2.4 has been unmaintained for quite a while, and lots of CVEs > have accumulated. The last release fixing CVEs, 2.4.10, only fixed about > half the vulnerabilities known, and that release was only made because > 2.4.9 was broken with GTK+ 3.20, and Evolution quickly needed a working > HTML renderer. > > For more information about the WebKit situation, take a look at > https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ > > We currently have the following packages depending on webkitgtk: > > webkitgtk > ├─balsa > ├─eclipse-common > │ ├─eclipse-cpp > │ ├─eclipse-java > │ ├─eclipse-jee > │ └─eclipse-php > ├─empathy > ├─geary > ├─gnome-web-photo > ├─gtkpod > ├─liferea > ├─midori > ├─uzbl-core > │ └─uzbl-browser > │ └─uzbl-tabbed > ├─variety > ├─webkitgtk-sharp > │ └─sparkleshare > └─xombrero > > And, for webkitgtk2: > > webkitgtk2 > ├─atril > ├─boinc > ├─codeblocks > ├─dwb > ├─geany-plugins > ├─gnucash > ├─gphpedit > ├─guitarix2 > ├─java-openjfx > │ └─pdfsam > ├─java-openjfx-doc > ├─java-openjfx-src > ├─luakit > ├─midori-gtk2 > ├─moneymanagerex > ├─osmo > ├─pan > ├─perl-gtk2-webkit > ├─python2-deepin-utils > │ └─python2-deepin-ui > │ ├─deepin-game > │ └─deepin-music > ├─pywebkitgtk > │ ├─python2-deepin-ui > │ ├─python2-deepin-utils > │ ├─python2-jswebkit > │ │ └─deepin-game > │ └─screenlets > │ └─screenlets-pack-basic > ├─surf > └─webkit-sharp > ├─blam > └─mono-tools > > To protect our users we should try to limit the packages using > webkitgtk(2)., with the goal of eventually getting rid of it completely. I > propose making a TODO that covers all these packages, with the following > policy: > > - If it can be updated to webkit2gtk, do so. > - Otherwise, if WebKit is an optional dependency, build without it. > - Otherwise, consider removing the package, especially if it's a browser. > > Thoughts?
Sounds good to me. I know many of us won't be happy to see packages we rely on dropped to the AUR, but it's either that or a myriad of security holes: the choice is clear to me. Cheers. -- Gaetan
