Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Hi again And tip: have you noticed that the default web engine for Konqueror is actually Qt5's webengine? On Tue, 18 Apr 2023 at 04:30, Bernhard Reiter wrote: > > Hi, > > Am Dienstag 18 April 2023 04:55:35 schrieb Lisandro Damián Nicanor Pérez > Meyer: > > On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter > wrote: > > > > Konqueror is advertised as web browser, which means it will (offer to) > > > open URLs from different sources, e.g. when clicked from emails which > > > means external URLs and data. > > > > Same goes with KMail too :-) > > not really, KMail protects against just displaying external HTML > code from mails, you need to explicitely enable it, e.g. by clicking. Well, you are supposed to know what you are doing if you open a web browser :-) > > Whatever uses webengine/webkit/ has the same > > issue. Well, for as long as they are a pile of embedded code, at least > > to start with. > > Only if they are exposed to unfiltered external data and having active code > elements enabled like
Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Hi, Am Dienstag 18 April 2023 04:55:35 schrieb Lisandro Damián Nicanor Pérez Meyer: > On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter wrote: > > Konqueror is advertised as web browser, which means it will (offer to) > > open URLs from different sources, e.g. when clicked from emails which > > means external URLs and data. > > Same goes with KMail too :-) not really, KMail protects against just displaying external HTML code from mails, you need to explicitely enable it, e.g. by clicking. > Whatever uses webengine/webkit/ has the same > issue. Well, for as long as they are a pile of embedded code, at least > to start with. Only if they are exposed to unfiltered external data and having active code elements enabled like
Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Hi! On Mon, 17 Apr 2023 at 12:34, Bernhard Reiter wrote: > > Hi Lisandro, > > thanks for your response! > > Am Samstag 15 April 2023 15:15:08 schrieben Sie: > > On Thu, 13 Apr 2023 at 14:15, Bernhard Reiter > > >"qtwebengine-opensource-src No security support upstream and > > >backports not feasible, only for use on trusted content" > > > If we follow that reasoning we shouldn't be shipping Plasma at all, as > > many things use Qt5's webengine. > > Konqueror is advertised as web browser, which means it will (offer to) > open URLs from different sources, e.g. when clicked from emails which means > external URLs and data. Same goes with KMail too :-) > Other components from plasma may not share the same exposure to outside > data, and thus would be less vulnerable. It seems that this would warrant > some more examination. Whatever uses webengine/webkit/ has the same issue. Well, for as long as they are a pile of embedded code, at least to start with. > If it is true that other components show the same risks, then yes, I'd say > that we should either get the security situation changed or really do not > ship those components by default. They may risk systems like > the dynamic loading of remote objects from java did which would be a problem > for both Debian and upstream. Same thing I said when I opposed packaging webengine, you see :-) But now it is packaged, and here we are :) > It seems to big a topic for this issue. > What would be the right place in debian to bring this up? Debian devel, maybe? But I did ask the same thing years ago. The reply was "what is the difference with a PDF?" Whatever handles untrusted code has the same issue. The only difference here is that we can not really keep track of everything that goes on a web engine, so no security support, which does not mean we try to apply patches if we can. But please feel free to do whatever you think is right. That's your freedom, and that's good :) -- Lisandro Damián Nicanor Pérez Meyer https://perezmeyer.com.ar/
Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Hi Lisandro, thanks for your response! Am Samstag 15 April 2023 15:15:08 schrieben Sie: > On Thu, 13 Apr 2023 at 14:15, Bernhard Reiter > >"qtwebengine-opensource-src No security support upstream and > >backports not feasible, only for use on trusted content" > If we follow that reasoning we shouldn't be shipping Plasma at all, as > many things use Qt5's webengine. Konqueror is advertised as web browser, which means it will (offer to) open URLs from different sources, e.g. when clicked from emails which means external URLs and data. Other components from plasma may not share the same exposure to outside data, and thus would be less vulnerable. It seems that this would warrant some more examination. If it is true that other components show the same risks, then yes, I'd say that we should either get the security situation changed or really do not ship those components by default. They may risk systems like the dynamic loading of remote objects from java did which would be a problem for both Debian and upstream. It seems to big a topic for this issue. What would be the right place in debian to bring this up? Thanks again, Bernhard signature.asc Description: This is a digitally signed message part.
Bug#1034364: kde-baseapps depends on konqueror which is not security maintained
Package: kde-baseapps Version: 4:22.12.3+5.142 Severity: important Dear Maintainers, consider removing konqueror from the depencies of kde-baseapps. Rationale: kde-baseapps for version 5:111 (stable) and 5:142 (unstable) depends on konqueror but konqueror depends on libqt5webenginecore5 source package is qtwebengine-opensource-src which according to https://salsa.debian.org/debian/debian-security-support/-/blob/573b1a3f35208754bdf50a2af03f6c1b8c066a8b/security-support-limited is not security maintained: "qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content" If this information is still correct, konqueror should not be recommended or depended on as user should by default get a system which is reasonable secure. Thanks Bernhard
