Bug#777608: zenity: depends on WebKitGTK
Simon McVittie
smcv at debian.org
Sat Jan 28 12:01:41 GMT 2023
Control: retitle -1 zenity: depends on WebKitGTK
Control: severity -1 wishlist
On Tue, 10 Feb 2015 at 18:22:52 +0200, Török Edwin wrote:
> * Source:webkitgtk
> Details: No security support upstream and backports not feasible, only for
> use on trusted content
This is no longer the case in any supported Debian release: WebKitGTK
receives security updates since Debian 10. (The security-supported version
is the webkit2gtk source package, rather than webkitgtk, but modern
versions of zenity use webkit2gtk.)
> I see that zenity has a configure flag to enable/disable webkit support,
> would it be possible to provide a zenity-nohtml package that would
> "Provides: zenity" so I can keep my *DE installed without depending on a package that has
> no security support?
The problem with that approach is that an unknown number of packages and
user scripts run `zenity --text-info --html ...`, which requires the
WebKit feature to be enabled. Until now, "Depends: zenity" has been a
correct way to declare a dependency on a HTML-capable version of zenity,
so we can't easily tell whether a package with "Depends: zenity" needs
that feature or not.
One possible alternative would be to provide a package without WebKit
HTML support, named zenity-minimal or zenity-nohtml or something, but
*not* add a Provides on the zenity name, and ask high-profile dependent
packages like mutter and metacity to update their dependency to
"Depends: zenity | zenity-minimal" if they don't need the HTML feature.
That seems quite a long way to go to avoid a dependency (typically Debian
packages enable all reasonable features, even if they come with extra
dependencies); but on the other hand, WebKitGTK is very large (and in fact
in my day job I maintain a fork of the zenity packaging with HTML disabled,
for the Steam Runtime), so maybe it's worth it.
smcv
More information about the pkg-gnome-maintainers
mailing list