Darren J Moffat wrote: > Alfred Peng wrote: >> Thanks for the comments. >> >> Option #2 looks good to me. I'll add those to the manual page if people >> agree with this. > > I still haven't seen an answer to what happens on other platforms that > ship webkit. How is webkit delivered and documented on Linux distros ? > > Why should we be different to other platforms ? > In truth, Darren, it's hard to find real documentation on this particular package for various Linux distros. We seem to be the only community that either caught or cared about the default libsoup behavior. I suspect it's an almost certainty that they deliver the package untouched from the upstream. I also suspect that it's installed as a dependency for some other package 90%+ of the time.
But also, although I really did look, I'm not sure why we're reviewing delivery into Linux distros. I completely understand the "familiarity" refrain that is often espoused, but that's such a broad brush to use to paint over packages. While it may be convenient and prudent for Linux distros to just deliver the package with 0% change, they also don't have the certificate issue we seem to have. And as near as I can tell, Linux familiarity was a directive given by marketing as a means to provide a similar experience to developers. I doubt it was a directive given because package delivery in Linux distros is such a robust and sound engineering model. I appreciate the need to provide the bounty of product packages that Linux currently enjoys, believe it or not. Adoption is critical to the future of OpenSolaris (the community AND the commercial distribution) -- Linux is a development platform target we are currently *chasing*. But I don't think we have to emulate Linux developers library delivery to the exclusion of all other architectural concerns. If we end up delivering WebKit in pseudo parity with Linux distros, then I believe the precedent we'd be setting would be: "When in doubt, Linux familiarity trumps perceived security gaps." If the answer to all future FOSS library packaging questions is "what would Linux do?", then I see a diminishing value for LSARC in the nascent reality called OpenSolaris(tm). I'd rather use the familiarity mantra to define strategic decisions (should we port this? should we port that?), but it's of less value to me at a tactical level. Although the possible security impact is rather high (in my estimation), the risk of occurrence has to be really quite small. We've probably spent more energy and time debating this than the likely window of mishap. I'm ready to move on.
