Qt4's Webkit in Stretch

Moritz Mühlenhoff jmm at inutil.org
Mon Jan 25 17:25:06 UTC 2016 

On Fri, Jan 22, 2016 at 05:16:26PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> Hi everyone! I would like to discuss the current situation for Qt4's Webkit in 
> Stretch.
> 
> Let me first start with some facts:
> 
> = Facts =
> 
> - Both Qt4 and (by inclusion) Qt4's webkit are no longer supported upstream.
> 
> - If a security bug appears in Qt4 during Stretch's lifetime I'm pretty sure 
> we will be able to come up with a patch. There is too much people depending on 
> it out there so this won't be a problem for Stretch.
> 
> - For Qt4's webkit the situation might probably be the other way around. 
> Actually we might already have (quite some?) security bugs out there.
> 
> = Removal efforts and options =
> 
> So last year we started to work on removing it [removal]. Progress is sadly 
> far from good. We still have quite a lot of apps depending on qebkit in order 
> to show things like doc. Most of them do not use it for web browsing.
> 
> [removal] <https://wiki.debian.org/Qt4WebKitRemoval>
> 
> This has been discussed in the Qt/KDE team quite a lot of times with different 
> opinions. For what I could gather the possible options are:
> 
> (keep) Keep Qt4's webkit as it is in Stretch and warn users that they will get 
> *no* security support.
> 
> (removeintesting) Remove Qt4's webkit from testing, file an RC bug against it 
> so it doesn't transition and let rdeps be removed from testing until they 
> switch. Of course we will need the RT's approval for this.
> 
> (totalremove) Remove Qt4's webkit from the archive together with it's rdeps 
> (or leave the rdeps RC buggy in unstable).
> 
> Does anyone has a better idea?
> 
> = What do we do? =
> 
> If we take the (keep) option we need a good way to ensure users get the fact.
> 
> If we go for any of the other two options we will need the RT/FTP team to ACK 
> the move.
> 
> So I would really like to hear the opinions of people in both teams. If you 
> really think a certain way forward should be taken please speak now.
> 
> Kinds regards, Lisandro.

>From my point of view, qtwebkit has never been covered by security support upstream
and in Debian. We even document this in the release notes (and for several releases
already): https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security

So (keep) is the status quo and we can keep just as well maintain it for stretch.

Cheers,
        Moritz

More information about the pkg-kde-talk mailing list