From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gPRwC0Ii42Gs8gAAgWs5BA (envelope-from ) for ; Sat, 15 Jan 2022 20:36:34 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id +O3oCEIi42FGFAEA9RJhRA (envelope-from ) for ; Sat, 15 Jan 2022 20:36:34 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CD0D13B761 for ; Sat, 15 Jan 2022 20:36:33 +0100 (CET) Received: from localhost ([::1]:52850 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1n8oqm-0007Lt-UX for larch@yhetil.org; Sat, 15 Jan 2022 14:36:32 -0500 Received: from eggs.gnu.org ([209.51.188.92]:42268) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n8opO-0007Iu-3s for bug-guix@gnu.org; Sat, 15 Jan 2022 14:35:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:48970) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n8opK-0006kR-Qs for bug-guix@gnu.org; Sat, 15 Jan 2022 14:35:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1n8opK-0007ux-Jf for bug-guix@gnu.org; Sat, 15 Jan 2022 14:35:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#53289: Removing QtWebKit Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 15 Jan 2022 19:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 53289 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 53289@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164227528630397 (code B ref -1); Sat, 15 Jan 2022 19:35:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Jan 2022 19:34:46 +0000 Received: from localhost ([127.0.0.1]:41872 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n8op3-0007uA-MY for submit@debbugs.gnu.org; Sat, 15 Jan 2022 14:34:45 -0500 Received: from lists.gnu.org ([209.51.188.17]:54450) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1n8op1-0007u2-6w for submit@debbugs.gnu.org; Sat, 15 Jan 2022 14:34:44 -0500 Received: from eggs.gnu.org ([209.51.188.92]:42100) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n8op0-0007GW-Ap for bug-guix@gnu.org; Sat, 15 Jan 2022 14:34:42 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:44253) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n8oow-0006g9-8q for bug-guix@gnu.org; Sat, 15 Jan 2022 14:34:40 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id C055C5C00DE; Sat, 15 Jan 2022 14:34:26 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Sat, 15 Jan 2022 14:34:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=slV7beguZ671vdsQFgyMJqnZvDFxXE9c4BwCjSJ/Ij0=; b=fzOYU e+7h3DoXbebZmticVvzMlYkM4viVpNP1AmY8Ri6YMh4L07jwyDODQVXf7MV3a1Yu U8cjDA1shx3I9QRdKbsPLxBbWd5LayO9e4tKQNRMlSiloXrauY5NkHW3TtPQyekh Kca8cu/KRNSQSsUPeSbKroF8tKpTlt+SxRzaU0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=slV7beguZ671vdsQFgyMJqnZvDFxX E9c4BwCjSJ/Ij0=; b=Q+Jd2rIN2t+2hF32D8taJ6k83mvwIMrwObmJUsYrfKUt8 HB9kinRU5MTYlio5oPaKSfHpVnB8z0mEYVon8Ctsuu1OHtInkfeyN8gsM8ZOR+/t xAgMu1PIvwEgPmYgcDtqgy9wH8L7VS6DCP25lQGybuhtqATpjUa3f5pRq/umob0V TDKzR4Ay8x1Tj04AZvHGIS52oWfRDLDNaLk/ZHgkEYio+lWrB2nDsBuB4RHxV9QW wVQDYSKr0sjYv+L5S8aN4aCMOY8+FAuuqxlpppJPOTs670AOYpmQFCb7vftoRCqt KmCWH0Qmn9n6qCMZEyvgjq6fkjZmJJ8ZHLE6yw3vQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrtdejgdduvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepueekgfegueffvdegfeejiedvvefhveelhf euffeiieefteeivdduieefhfettdeknecuffhomhgrihhnpehsvggtlhhishhtshdrohhr ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sat, 15 Jan 2022 14:34:26 -0500 (EST) Date: Sat, 15 Jan 2022 14:34:24 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=66.111.4.25; envelope-from=leo@famulari.name; helo=out1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1642275393; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=slV7beguZ671vdsQFgyMJqnZvDFxXE9c4BwCjSJ/Ij0=; b=nkbpdi4aQ23hxGRFM8/vsHxI9Nn71bE0CGhbFBlHdI8fF9CQwCSxC0+1KtMcoOt3cgT1in 6kF8MErO+11nRXSdm5JRMIuJhnPx4QUttvtY3sndNmhkt/hsKhKG/F+/iULfVTJkXJsgo4 jbjThVSfpISSfIuqtbgtlyMSxky8CqkGTEiWrT2imYhV2a5Mh47eRvcllUrgGqXuRFQYgJ pdCYd2PTCfbgt78bUaYSBbGYO7AsORcBQe88u0QXBLh5xL2/DORhfDAZWB6G6jnAJ1la1F YEvorUYihvBWsuNLDZqKr5PD6nV0OZMN3v1WHqMUiXqGYGG8vtf+ghaEs4aokA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1642275393; a=rsa-sha256; cv=none; b=FY0/cUQUGfB1dR7mxt5c2MvXQPlsIS46hZXZi+YPzftN89VROwSc6g68sUkJw6QUkwJdFZ VMttYRR74Lga8YZ4cfxxiSp8zIcyvyzL5VQBdwAXi/k0OKco3ZlIBlCGCeZTfTMK1HyjBe bboPPoc61703027YzzdNFlmqZdKtXP3yM4syqIY+41U/QtbOQc3az/mb2v/CN/VoAjoOj7 mp78gGcxA5kQ16G2+gAGR6wKY39+KzHbcA/u4i0dPH6P/8cQY0dJTrBcTFgiwILekVDfwm 5+vUabgYllMVxGNOXZ99PBsAYTzZ55EWxsYgkR6stJdz2uA2k7q5m0FciifksA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="fzOYU e+"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=Q+Jd2rIN; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="fzOYU e+"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=Q+Jd2rIN; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: CD0D13B761 X-Spam-Score: -2.42 X-Migadu-Scanner: scn1.migadu.com X-TUID: F897ohCPbrki We need to remove QtWebKit from the distro. The upstream project says this when you go to their download page: ------ WARNING: This release is based on old WebKit revision with known unpatched vulnerabilities. Please use it carefully and avoid visiting untrusted websites and using it for transmission of sensitive data. Please wait for new release from qtwebkit-dev branch to use it with untrusted content. ------ And a bit of discussion from the oss-sec mailing list [0], quoting here: ------ QtWebKit was a rendering engine for web content released with Qt until 5.6. It was replaced with QtWebEngine after that. Despite a community fork in 2016, nothing really happened to keep it alive and secure. ------ And: ------ Readers of this list will likely be familiar with the regular postings regarding WebKitGTK vulnerabilities: many of them are likely applicable to QtWebKit too, especially the WebKitGTK-based fork ------ So, the dozens (hundreds?) of notable security bugs fixed in WebKitGTK are totally unfixed in QtWebKit. Many of these bugs are considered "arbitrary code execution" bugs. And the broader context is that there won't be a future for this package, as Qt has abandoned WebKit in favor of Chromium. This package will not improve. If people want to keep using QtWebKit, they can maintain it in a channel. [0] https://seclists.org/oss-sec/2021/q3/66