package: debian-security-support severity: wishlist x-debbugs-cc: trentb...@gmail.com, 1004...@bugs.debian.org, j...@inutil.org
Hi,
in #1004293 the status of src:khtml and src:webkitgtk was discussed and
as the discussion about the latter is more complicated, I've closed
#1004293 with documenting the state of sec:khtml and am filing this
new bug to discuss webkit* based browsers in a new and fresh bug report.
On Thu, Feb 10, 2022 at 11:37:18AM +0100, Moritz Mühlenhoff wrote:
> Any reverse dependency of webkit2gtk is supported (i.e. applications like
> Epiphany, Evolution etc).
>
> Other browsers which use engines which are similarly named since they
> share a common code history are not supported:
> - qtwebkit (only present up to Buster)
> - qtwebkit-opensource-src
> - qtwebengine-opensource-src
> - webkitgtk (only present up to Stretch)
>
> This e.g. means that the default browser in KDE (Konqueror) is entirely
> unsupported with security updates.
>
> Note this isn't the case for any distro out there, we're just the only one
> transparent about in in their release notes!
>
> E.g. qtwebengine rebases to Chromium releases from time to time, but
> definitely not a pace which is needed and none of this reaches distros
> properly.
>
> I understand this is probably a little confusing, so maybe we should
> instead list specific browsers as examples for webengine related components
> which are supported and which are not.
so, for bookworm, we should add
- qtwebkit-opensource-src
- qtwebengine-opensource-src
to security-support-limited ("only for trusted content") and that's it?
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
This too shall pass.
signature.asc
Description: PGP signature
