On Tue, Jul 06, 2021 at 10:11:36PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian....@packages.debian.org > > Usertags: unblock > > > > Please unblock package wpewebkit > > > > webkit2gtk was unblocked last month, testing has the most recent > > stable version and we will provide security updates during the > > lifetime of bullseye, as we already did during buster. > > > > wpewebkit is another official port of webkit. It's maintained by the > > same team, follows a very similar release schedule and numbering > > system, shares most of the code and almost all CVEs fixes apply to > > both ports. > > > > Because of this it won't take me too much effort to prepare security > > updates for wpewebkit so the Debian security team is proposing that we > > also provide them. > > > > If we do this we should unblock the package and put the latest stable > > version in testing. At the moment the only user of wpewebkit in Debian > > is cog, which is a simple, single-window web browser, developed and > > released by the same team. So we should also unblock cog and the two > > other libraries that are part of the wpewebkit releases: libwpe and > > wpebackend-fdo (I don't know if you need separate bugs to unblock > > those). > > > > If we don't do this then it's probably a good idea to mention in the > > release notes that wpewebkit is not covered by security updates. > > What's the security team's take on this? Will browsers other than firefox, > chromium and webkit2gtk itself be security supported throughout bullseye's > lifetime?
We synced up with this before; wpewebkit is closely related to webkit and Alberto will keep both updated in stable. > The concern also extends to web rendering engines not explicitly > mentioned here, with the exception of <systemitem > role="source">webkit2gtk</systemitem>. Good point wrt the releases notes part. I guess we should simply make this "with the exception of webkit2gtk/wpewebkit". Alberto, could you file a bug against the release notes? Cheers, Moritz