Control: severity -1 important
On 2017-02-13 15:57, Raphaël Hertzog wrote:
python-qt4 dropped support for QtWebkit it's because it was not
possible to provide security support for it (cf #784514). You disabled
that support in response to that bug.
But later you decided to re-enable it using an embedded copy, the net
result is that python-qgis is now shipping files that used to be
shipped by python-qt4:
/usr/lib/python2.7/dist-packages/PyQt4/QtWebKit.x86_64-linux-gnu.so
Yes, because QGIS without QtWebKit loses most plugins and other
functionality demanded by users.
There are two problems:
1/ the upgrade is not safe, you can have conflicts with python-qt4 if
python-qgis is upgraded before python-qt4 (even more likely in Kali
where we kept QtWebkit a while longer in python-qt4)
Adding Breaks/Replaces is no problem.
2/ if QtWebkit cannot be suppported in python-qt4, it also cannot be
supported in python-qgis
It doesn't have to be supported to be included.
IMO you should disable that embedded copy usage or at least get a prior
ack from the security team.
NAK, the QtWebKit support stays as it's in the interest of our users.
Upstream added the QtWebKit support for Python because the C++ package
(qtwebkit) is still available and only the in development 3.x branch of
QGIS has support for Qt5.
The debian-security-support package already warns about no security
support for qtwebkit so that doesn't change anything wrt QtWebKit
support in QGIS.
Kind Regards,
Bas
