<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Sorry, I forgot to include the webkit maintainers list and Ubuntu
Security in this.<br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject: </th>
<td>Re: Bug#649625: webkit unmaintained security-wise (again)</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Thu, 26 Jan 2012 10:03:57 -0600</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Micah Gersten <a class="moz-txt-link-rfc2396E" href="mailto:micah@ubuntu.com"><micah@ubuntu.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>Gustavo Noronha Silva <a class="moz-txt-link-rfc2396E" href="mailto:kov@debian.org"><kov@debian.org></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">CC: </th>
<td>Simon Paillard <a class="moz-txt-link-rfc2396E" href="mailto:spaillard@debian.org"><spaillard@debian.org></a>, Moritz
Muehlenhoff <a class="moz-txt-link-rfc2396E" href="mailto:jmm@debian.org"><jmm@debian.org></a>, <a class="moz-txt-link-abbreviated" href="mailto:mrobinson@webkit.org">mrobinson@webkit.org</a>,
<a class="moz-txt-link-abbreviated" href="mailto:debian-security@lists.debian.org">debian-security@lists.debian.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>On 12/08/2011 10:38 AM, Gustavo Noronha Silva wrote:
> Hey,
>
> On Mon, 2011-12-05 at 21:00 +0100, Simon Paillard wrote:
>> If the situation persists, it may be worth warning *squeeze* users, through a
>> dedicated DSA/d-security-announce, as well as a dedicated paragraph in the next
>> point release announce ?
> Yeah, that sounds sane. Unfortunately we (mostly myself) underestimated
> the amount of work that it would take and overestimated the help we
> would get, which is never a good thing.
>
> We briefly discussed this issue during the recent webkit hackfest and we
> are trying to figure out a more sustainable way of providing security
> support. If anyone would like to help, we can nominate people to the
> webkit security mailing list, and have an IRC meeting along with other
> WebKitGTK+ people to see what we could do about this, what do you say?
>
>
In Ubuntu, we need to maintain a stable branch of webkitgtk+ for 5 years
for our upcoming LTS. That is from Apr 2012 to Apr 2017. We'll be
using the webkitgtk+ 1.8 branch since it's the most recent with GTK2 and
GTK3 support. I'd like to find other like minded people to help
maintain this branch. I assume that if Debian can standardize on 1.8,
that would be helpful for 3.5 years or so (6 months until wheezy
releases, 2 yrs of stable, 1 yr of old stable). How does this sound to
people?
--
Micah Gersten
Ubuntu Security Team
</pre>
</body>
</html>