Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
Moritz Mühlenhoff wrote: > Am Thu, Jan 27, 2022 at 10:01:34AM +1100 schrieb Trent W. Buck: > > Alberto Garcia wrote: > > > Two WebKit ports are actively maintained, available in Debian and have > > > security support: WPE WebKit and WebKitGTK (the package is called > > > webkit2gtk for technical / historical reasons). > > > > > > Other WebKit ports available in Debian are not covered by security > > > support. I know there's at least QtWebKit, I don't know if there are > > > more. > > > > OK, so as I asked upthread: > > > > Am I misreading the Release Notes? > > > > > > https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support > > > > browsers built upon e.g. the webkit and khtml engines^[6] are > > included in bullseye, but not covered by security support. > > > > Are you saying that webkit2gtk is supported, but anything that USES > > webkit2gtk is unsupported? > > > > If the answer is "yes", then I guess instead of > > security-support-limited including src:webkitgtk it should include all > > browsers that USE src:webkitgtk? > > > > e.g. epiphany-browser, evolution, yelp, and webkitgtk (due to MiniBrowser). > > > > Or all this stuff *is* all fully supported by Debian Security team, then > > should I instead file a bug against the Release Notes? > > Any reverse dependency of webkit2gtk is supported (i.e. applications like > Epiphany, Evolution etc). > > Other browsers which use engines which are similarly named since they > share a common code history are not supported: > - qtwebkit (only present up to Buster) > - qtwebkit-opensource-src > - qtwebengine-opensource-src > - webkitgtk (only present up to Stretch) > > This e.g. means that the default browser in KDE (Konqueror) is entirely > unsupported with security updates. > > Note this isn't the case for any distro out there, we're just the only one > transparent about in in their release notes! > > E.g. qtwebengine rebases to Chromium releases from time to time, but > definitely not a pace which is needed and none of this reaches distros > properly. > > I understand this is probably a little confusing, so maybe we should > instead list specific browsers as examples for webengine related components > which are supported and which are not. Definitely I am confused! :-) As a sysadmin shipping Debian in prisons, I want an easy way to detect and ban packages (especially browser engines/browsers) that are not security-supported. My initial reading of the Debian 11 release notes was "unless it is EXACTLY firefox-esr or chromium, it's not supported". So for example, I banned zenity because that uses webkit2gtk and that's not firefox-esr/chromium. I care a lot more about having a clear list (or simple heuristic), than about keeping any specific package in/out of the list. I *think* my life is simpler if I allow/block entire engines, because if there's a rule like "qtwebengine is supported as long as it only handles KDE help documents" then I have to fiddle-fart around proving that each app will ONLY use the engine for KDE help documents and not (for example) knewstuff content from https://autoconfig.kde.org/ocs/providers.xml (which Debian hasn't vetted).
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
Am Thu, Jan 27, 2022 at 10:01:34AM +1100 schrieb Trent W. Buck: > Alberto Garcia wrote: > > Two WebKit ports are actively maintained, available in Debian and have > > security support: WPE WebKit and WebKitGTK (the package is called > > webkit2gtk for technical / historical reasons). > > > > Other WebKit ports available in Debian are not covered by security > > support. I know there's at least QtWebKit, I don't know if there are > > more. > > OK, so as I asked upthread: > > Am I misreading the Release Notes? > > > https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support > > browsers built upon e.g. the webkit and khtml engines^[6] are > included in bullseye, but not covered by security support. > > Are you saying that webkit2gtk is supported, but anything that USES > webkit2gtk is unsupported? > > If the answer is "yes", then I guess instead of > security-support-limited including src:webkitgtk it should include all > browsers that USE src:webkitgtk? > > e.g. epiphany-browser, evolution, yelp, and webkitgtk (due to MiniBrowser). > > Or all this stuff *is* all fully supported by Debian Security team, then > should I instead file a bug against the Release Notes? Any reverse dependency of webkit2gtk is supported (i.e. applications like Epiphany, Evolution etc). Other browsers which use engines which are similarly named since they share a common code history are not supported: - qtwebkit (only present up to Buster) - qtwebkit-opensource-src - qtwebengine-opensource-src - webkitgtk (only present up to Stretch) This e.g. means that the default browser in KDE (Konqueror) is entirely unsupported with security updates. Note this isn't the case for any distro out there, we're just the only one transparent about in in their release notes! E.g. qtwebengine rebases to Chromium releases from time to time, but definitely not a pace which is needed and none of this reaches distros properly. I understand this is probably a little confusing, so maybe we should instead list specific browsers as examples for webengine related components which are supported and which are not. Cheers, Moritz
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
Alberto Garcia wrote: > Two WebKit ports are actively maintained, available in Debian and have > security support: WPE WebKit and WebKitGTK (the package is called > webkit2gtk for technical / historical reasons). > > Other WebKit ports available in Debian are not covered by security > support. I know there's at least QtWebKit, I don't know if there are > more. OK, so as I asked upthread: Am I misreading the Release Notes? https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support browsers built upon e.g. the webkit and khtml engines^[6] are included in bullseye, but not covered by security support. Are you saying that webkit2gtk is supported, but anything that USES webkit2gtk is unsupported? If the answer is "yes", then I guess instead of security-support-limited including src:webkitgtk it should include all browsers that USE src:webkitgtk? e.g. epiphany-browser, evolution, yelp, and webkitgtk (due to MiniBrowser). Or all this stuff *is* all fully supported by Debian Security team, then should I instead file a bug against the Release Notes?
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
On Wed, Jan 26, 2022 at 07:30:23PM +1100, Trent W. Buck wrote: > But maybe it only meant webkit (MacOS-only, not ever in Debian) or > "webkitgtk" (not in Debian for about 8 years)? > But then why even mention it in the *bullseye* release notes? WebKit is an open source browser engine that works in different platforms. A version of WebKit for a specific platform is called "port", and there are several, some official, some unofficial, some actively maintained and some deprecated or dead. All ports "are" WebKit (they share the majority of the code base) and you can specifiy which one you are referring to by calling it "the GTK port", "the Mac port", etc. Some of them have their own names for convenience ("WebKitGTK", "WebKitNIX", "QtWebKit", ...), but they're still WebKit. Two WebKit ports are actively maintained, available in Debian and have security support: WPE WebKit and WebKitGTK (the package is called webkit2gtk for technical / historical reasons). Other WebKit ports available in Debian are not covered by security support. I know there's at least QtWebKit, I don't know if there are more. Berto
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
Moritz Muehlenhoff wrote: > On Tue, Jan 25, 2022 at 12:20:46AM +1100, Trent W. Buck wrote: > > Package: debian-security-support > > Version: 1:11+2021.03.19 > > Severity: normal > > File: /usr/share/debian-security-support/security-support-limited > > > > As at Debian 11, > > > > * webkitgtk is in src:webkit2gtk, not src:webkit. > > * khtml is in src:khtml, not src:kde4libs. > > > > GNOME3 and KDE5 have been around for a while now. > > I think security-support-limited should be updated to reflect this. > > webkit2gtk is fully supported since Buster and there have been plenty of > security updates since > then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk Am I misreading the Release Notes? https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support browsers built upon e.g. the webkit and khtml engines^[6] are included in bullseye, but not covered by security support. Are you saying that webkit2gtk is supported, but anything that USES webkit2gtk is unsupported? Even if that is the case, webkit2gtk itself ships a web browser based on webkit2gtk: libwebkit2gtk-4.0-37:amd64: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/MiniBrowser That browser even accesses a remote (therefore not trusted by debian) URL by default. (Unlike e.g. yelp, which uses webkit2gtk mainly to render content provided by Debian.) It also enables javascript (remote code execution) by default. Since webkit2gtk includes a webkit2gtk-based browser, and "browser built upon webkit" are "not covered by security support", I still think webkit2gtk belongs in the "security support is limited" list. I agree that debian-security has provided security updates for webkit2gtk in the past. I think "limited" doesn't mean "we promise never to issue security updates"; I think "limited" means "we don't promise to issue security updates". Sorry if I'm missing something obvious! Oh! I've been assuming when the Release Notes said only firefox-esr/chromium are supported, and explicitly gave "webkit" as an example, that "webkit" meant webkit2gtk. But maybe it only meant webkit (MacOS-only, not ever in Debian) or "webkitgtk" (not in Debian for about 8 years)? But then why even mention it in the *bullseye* release notes?
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
control: retitle -1 warn users that src:khtml is insecure? On Mon, Jan 24, 2022 at 04:39:22PM +0100, Moritz Muehlenhoff wrote: > webkit2gtk is fully supported since Buster and there have been plenty of > security updates since > then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk > > khtml should in fact be added, since it's AFAICT used by Konqueror. thanks, Moritz! -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ half the worlds poor life in resource rich countries. HOME: https://youtu.be/Eu6ieWI3yjI signature.asc Description: PGP signature
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
On Tue, Jan 25, 2022 at 12:20:46AM +1100, Trent W. Buck wrote: > Package: debian-security-support > Version: 1:11+2021.03.19 > Severity: normal > File: /usr/share/debian-security-support/security-support-limited > > As at Debian 11, > > * webkitgtk is in src:webkit2gtk, not src:webkit. > * khtml is in src:khtml, not src:kde4libs. > > GNOME3 and KDE5 have been around for a while now. > I think security-support-limited should be updated to reflect this. webkit2gtk is fully supported since Buster and there have been plenty of security updates since then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk khtml should in fact be added, since it's AFAICT used by Konqueror. Cheers, Moritz
Bug#1004293: warn users that src:webkit2gtk and src:khtml are insecure?
Package: debian-security-support Version: 1:11+2021.03.19 Severity: normal File: /usr/share/debian-security-support/security-support-limited As at Debian 11, * webkitgtk is in src:webkit2gtk, not src:webkit. * khtml is in src:khtml, not src:kde4libs. GNOME3 and KDE5 have been around for a while now. I think security-support-limited should be updated to reflect this. These libraries are used by, for example, yelp and khelpcenter. This means this fix will make check-security-support whinge at most GUI users, the way it already does for needrestart users (#986507). (I think this is a good thing. There's really no reason yelp and khelpcenter need to JIT compile docbook/mallard to HTML and then embed a custom browser engine. Get rid of them, render the HTML when the .deb is built, and just run the user's normal, security-supported browser.) Note that someone already reported the khtml issue way back in Debian 7 (#773387), but it was marked as blocked because (paraphrasing) "KDE4 libraries are a mess and we'd end up with false positives for EVERY library in KDE" (#765452). This is substantially improved in KDE5, and (AFAICT) should no longer block "correctly report src:khtml is insecure crap". -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-0.bpo.2-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages debian-security-support depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.77 ii gettext-base 0.21-4 debian-security-support recommends no packages. debian-security-support suggests no packages. -- debconf information: debian-security-support/earlyend: debian-security-support/ended: debian-security-support/limited: