[Secure-testing-team] On the supportability of webkit
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Dec 18 03:03:48 UTC 2009
Hi all,
The number of open CVEs for webkit during lenny's lifetime so far has
been incredibly high. Only rivaled by openjdk and the kernel (at
times), but those seem to get updates reasonably fast even though there
are a large number. Guisseppe has done some good work fixing a large
number of webkit issues recently, which is great, but still another 19
remain.
The root of this problem is that debian does not have access to apple's
private security list [0]. The thing is that they have already offered
access in the past (to anyone with a debian.org address) [1], but no one
stepped up to the plate. I would take on the responsibility, but I am
not a DD.
So, I think at this point, webkit should be strongly considered for
removal in the next lenny point release (because I don't forsee things
getting any better any time soon), and possibly from squeeze as well.
However, this concern could be rendered moot should someone volunteer
to gain access to the private webkit list.
Best wishes,
Mike
[0] http://webkit.org/security/
[1] http://lists.alioth.debian.org/pipermail/secure-testing-team/2009-August/003008.html
More information about the Secure-testing-team
mailing list