On Fri, 27 Aug 2010 08:49:54 +0200, Philipp Kern wrote: > On Fri, Aug 27, 2010 at 12:01:37AM -0400, Michael Gilbert wrote: > > The lenny webkit package has an insurmountable number of security > > vulnerabilities [0]. The version included there was of an experimental > > nature, and the only front end available is the builtin GtkLauncher > > app, which isn't very functional itself and is likely used by no one. > > There are no reverse dependencies. > > > > Please remove the package for the upcoming lenny point release. I've > > brought this up with the security team and webkit maintainers [1],[2], > > and there has so far been no objection. However, I also didn't get > > any responses either way. You may want to try to touch base with > > either/both teams directly. > > > > I think removal is the only supportable course of action. > > The secure-testing list is inappropriate to ask the security team about a > package in Lenny. Please use the appropriate contact and get them to reply.
I was more concerned about getting feedback from the webkit developers. I've already talked to Moritz Muehlenhoff from the security team about this directly. > Some CVEs are listed as "minor issue - no DSA", so it wouldn't be valid > to remove it for that. Perhaps 10 of the 50 or so issues are no-dsa. I think it's valid to remove it due to the 40 other issues. > (Sadly it seems that there's no overview to list > a package's vulnerabilities in Lenny at a glance?) No, there currently isn't a straightfoward way to do that. However, you could look at the stable overall page and count the number of webkit issues there. However, it seems a direct removal isn't so straightforward since there are two reverse dependencies: mono-tools-gui and claws-mail-extra-plugins. Note that the popcon counts are low for those: 131 [1] and 258 [2] respectively. Perhaps it would be ok to remove them as well? Or perhaps instead there could be an end-of-life security announcement? Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
