On Sun, May 21, 2017 at 9:43 AM, Adrian Bunk <b...@debian.org> wrote: > 2. WebKitGTK+
The primary package of concern here in Debian Stretch is webkit2gtk . For a year now, Ubuntu has been updating webkit2gtk [1] as security updates [2] just fine. Ubuntu 16.04 LTS started with 2.10 and has upgraded it to the major new version 2.12, 2.14, and now 2.16. So far this has been done with sufficient testing that we have not introduced any significant regressions in webkit2gtk to 16.04 yet. In fact, Debian is the largest major distro that does not upgrade webkit2gtk like this. It is not too late to change this policy for Debian Stretch, but my understanding is that the Debian Security team has absolutely refused to extend the "browser exception" (to allow major new versions) to webkit2gtk, despite the pleading of the Debian and upstream webkit2gtk maintainers. The webkit2gtk developers have made several improvements to try to make these updates more suitable for distros like Debian Stable to ship. [3] [4] Therefore, I urge the Debian Security team to revisit their decision and allow new major versions of webkit2gtk to be treated as security updates for Debian Stretch. [1] https://launchpad.net/ubuntu/+source/webkit2gtk [2] https://www.ubuntu.com/usn/usn-3257-1/ [3] https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy [4] https://webkitgtk.org/security.html Thank you, Jeremy Bicha
