On Wed, Dec 13, 2023 at 08:49:55PM -0700, Soren Stoutner wrote: >... > Currently there is no real security support for Qt WebEngine in stable, which > is an oversight that might surprise many Debian users. The purpose of this > discussion is to figure out the best way to change that.
This is not a new discussion, and there aren't any simple solutions. The release notes for squeeze[1] released nearly 13 years ago already had a section on limited support for browser engines. For web browsers, shipping the latest versions is the only workable solution. WebKitGTK is basically the GNOME equivalent of Qt WebEngine based on a different browser. Security support for WebKitGTK was also missing for many years, it became feasible when upstream made commitments regarding API/ABI compatibility and sticking to using older versions of dependencies. Qt has nearly 30 years history of being somewhere between open source and freemium,[2] this is not an upstream one would expect to make such commitments. > Shipping LTS versions > of Qt in stable would put us in a better position than the status quo, even if > it doesn’t get us all the way there. >... When a suitable version is available updating in (old)stable might be possible, e.g. updating qtwebengine-opensource-src in stable and oldstable might be technically feasible and rebuilding angelfish would be unlikely to be a dealbreaker if someone wants to discuss such a (tested!) update with the release team. The release team might or might not agree with such an update, but this would not be the same as providing security support for qtwebengine-opensource-src. Your "better position" might actually be worse, far more surprising than flagging something as unsupported from the beginning would be declaring it supported and then dropping support after a year - what are users supposed to do at that point? cu Adrian [1] https://www.debian.org/releases/squeeze/amd64/release-notes.en.txt [2] https://en.wikipedia.org/wiki/Qt_(software)#History_of_Qt
