On Sat, Dec 16, 2023 at 04:33:58PM -0700, Soren Stoutner wrote:
> On Saturday, December 16, 2023 4:10:42 PM MST Adrian Bunk wrote:
> > On Sat, Dec 16, 2023 at 01:22:13PM -0700, Soren Stoutner wrote:
> > > Bookworm released with qtwebengine-opensource-src 5.15.8+dfsg-1, but
> > > 5.15.13+dfsg-1~deb12u1 was later uploaded.
> >
> > That's not true, bookworm released with 5.15.13+dfsg-1~deb12u1.
>
> How does stable initially release with an ~deb12u1?
On Sat, Dec 16, 2023 at 06:00:28PM -0700, Soren Stoutner wrote:
> Digging into this a little further, it looks like the current version of
> Angelfish does not use
> any Qt WebEngine private headers (qtwebengine5-private-dev is not listed as a
> build-
> depends).
I don't know what's going on with the headers, but there is a reason why
the dependency gets generated:
$ nm -D /usr/bin/angelfish-webapp | grep Qt_5_PRIVATE_API
U
_ZN22QQuickWebEngineProfile16downloadFinishedEP27QQuickWebEngineDownloadItem@Qt_5_PRIVATE_API
U
_ZN22QQuickWebEngineProfile17downloadRequestedEP27QQuickWebEngineDownloadItem@Qt_5_PRIVATE_API
$
You are jumping to conclusions too fast without double-checking things,
which is not a good sign for someone who wants to provide security support
for what is perhaps the most difficult to support package in Debian.
That's also true for the whole effort:
Everyone who has looked at this before came to the conclusion that
security support for browser engines is no longer possible on a
volunteer basis in Debian since it is:
- a lot of work for many CVEs, and
- requires deep technical skills of the browser engine
(How much experience do you have modifying the Blink code?), and
- backporting fixes to ancient versions of software is sometimes easy
but sometimes the kind of nasty work most people won't do unpaid
It is not fundamentally impossible, but it's in the order of magnitude
of one full-time employed Blink engineer.
>...
> Now that is all cleared up, I think that next week I am going to build the
> current version
> of Qt 5 WebEngine for stable and test it on a system I have running locally,
> focusing
> specifically on all of the browsers that use Qt WebEngine. If all seems to
> work well, would
> anyone have any objections to me uploading it to bookworm-backports?
>...
bookworm-backports are packages from trixie rebuilt for bookworm.
Whatever you want to do in backports, it has to go into unstable und
migrate to testing first.
cu
Adrian
