[Secure-testing-team] Bug#594550: RM: webkit/1.0.1-4+lenny2

Sune Vuorela nospam at vuorela.dk
Tue Aug 31 19:57:49 UTC 2010


On 2010-08-31, Moritz Muehlenhoff <jmm at inutil.org> wrote:
> We would need to check how these packages use webkit, maybe they can be
> adapted.

I would really like if we could describe gtkwebkit as gtkwebkit, rather
than using 'webkit' (which is the common codebase used by gtk people, by
nokia/Qt, by chrome, by safari, maybe also by RIM). 

Just because the gnome/gtk world once again stomps over 'common 
namespaces' shouldn't give them any special advantcages.

> The following packages contain webkit or have a webkit heritage:
>

> kdelibs/kdelibs4: Only few webkit issues also affect khtml, since the 
> code bases have forked away from each other quite some time ago and
> webkit has seen lots of changes and rewrites.

It is the other way around. webkit has a KHTML heritage. 
They have been taking very different ways, and filing webkit security 
issues against khtml packages is just pretty useless.

> qt4: It embeds a webkit copy, but does any application in the archive
> use it? It seems as if Nokia doesn't systematically track security

Arora, rekonq, KDE Plasma Desktop, KDE Plasma Netbook, maybe kmail,
merkaartor, kpart-webkit, (just from the top of my head)

> issues either. If the webkit version embedded is the same as the
> webkit version in Debian it might be straightforward to carry the
> patches over. The alternative: Mark QT4 as unsupported security-wise.

> Webkit: Patches need to be backported, but we need more maintainers
> involved and commited to backporting patches. A few people need to
> step up and commit to it, otherwise it's bound to fail for Squeeze
> as it failed for Lenny.

Most of all these webkit things have very different branchpoints and
actual codebases. Different java script engines. Different frontends.
Different security issues.

But until nokia, google, apple and others agree on a actual shared
release of a webcore/javascriptcore library, things won't really change
in this regard. And I see no real movement in that direction either.

/Sune




More information about the Secure-testing-team mailing list