From: Leo Famulari <leo@famulari.name>
To: 53289@debbugs.gnu.org
Subject: bug#53289: Removing QtWebKit
Date: Sat, 15 Jan 2022 14:34:24 -0500 [thread overview]
Message-ID: <YeMhwEDXzccaSI+a@jasmine.lan> (raw)
We need to remove QtWebKit from the distro.
The upstream project says this when you go to their download page:
------
WARNING: This release is based on old WebKit revision with known
unpatched vulnerabilities. Please use it carefully and avoid visiting
untrusted websites and using it for transmission of sensitive data.
Please wait for new release from qtwebkit-dev branch to use it with
untrusted content.
------
And a bit of discussion from the oss-sec mailing list [0], quoting here:
------
QtWebKit was a rendering engine for web content released with Qt until
5.6. It was replaced with QtWebEngine after that.
Despite a community fork in 2016, nothing really happened to keep it
alive and secure.
------
And:
------
Readers of this list will likely be familiar with the regular postings
regarding WebKitGTK vulnerabilities: many of them are likely applicable
to QtWebKit too, especially the WebKitGTK-based fork
------
So, the dozens (hundreds?) of notable security bugs fixed in WebKitGTK
are totally unfixed in QtWebKit. Many of these bugs are considered
"arbitrary code execution" bugs.
And the broader context is that there won't be a future for this
package, as Qt has abandoned WebKit in favor of Chromium. This package
will not improve.
If people want to keep using QtWebKit, they can maintain it in a
channel.
[0] https://seclists.org/oss-sec/2021/q3/66
next reply other threads:[~2022-01-15 19:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-15 19:34 Leo Famulari [this message]
2022-01-15 19:38 ` bug#53289: [PATCH] gnu: Remove Qt WebKit Leo Famulari
2022-01-15 20:37 ` Leo Famulari
2022-01-19 12:19 ` Guillaume Le Vaillant
2022-01-19 15:54 ` Guillaume Le Vaillant
2022-01-24 8:13 ` Leo Famulari
2022-01-23 19:16 ` bug#53289: Removing QtWebKit Efraim Flashner
2022-08-01 4:19 ` [bug#53289] " Maxim Cournoyer
2023-02-17 19:53 ` bug#53289: " Leo Famulari
2023-02-17 21:36 ` [bug#53289] " Tobias Geerinckx-Rice via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YeMhwEDXzccaSI+a@jasmine.lan \
--to=leo@famulari.name \
--cc=53289@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.