Bug#862452: Update to newer QtWebKit
Hey Dmitry, On Fri, Jul 07, 2017 at 02:28:25PM +0300, Dmitry Shachnev wrote: > Control: severity -1 important > > Hi Florian! > > On Fri, Jul 07, 2017 at 12:59:09PM +0200, Florian Bruhin wrote: > > I'll have to disagree with this being a "wishlist" bug - Security wise, > > the old QtWebKit is worse than WebKitGTK 2.4, which gets dropped from > > buster[4] - we're talking about ~3 years of delta from upstream WebKit, > > including all security fixes in that timespan, which are missing from > > the current QtWebKit package. Even if Debian doesn't intend to provide > > security support[5] for QtWebKit, there are various packages depending > > on it which deal with untrusted input. > > I absolutely agree. Bumping the bug severity to important. > > However as I said, we need to focus on Qt 5.7.1 → 5.9.1 transition now, > which still has some blockers. After the transition is done, we will be > able to do some other Qt tasks not directly related to upgrade, i.e. > updating QtWebKit or building QtBase with GL ES support on AArch64. > > I hope we will do the transition within a couple of weeks, but it depends > on my time and amount of other tasks. Sure, I agree keeping Qt up to date is also important - hope everything goes well with that. Thank you! :) Florian -- https://www.qutebrowser.org | m...@the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ signature.asc Description: PGP signature
Bug#862452: Update to newer QtWebKit
Control: severity -1 important Hi Florian! On Fri, Jul 07, 2017 at 12:59:09PM +0200, Florian Bruhin wrote: > I'll have to disagree with this being a "wishlist" bug - Security wise, > the old QtWebKit is worse than WebKitGTK 2.4, which gets dropped from > buster[4] - we're talking about ~3 years of delta from upstream WebKit, > including all security fixes in that timespan, which are missing from > the current QtWebKit package. Even if Debian doesn't intend to provide > security support[5] for QtWebKit, there are various packages depending > on it which deal with untrusted input. I absolutely agree. Bumping the bug severity to important. However as I said, we need to focus on Qt 5.7.1 → 5.9.1 transition now, which still has some blockers. After the transition is done, we will be able to do some other Qt tasks not directly related to upgrade, i.e. updating QtWebKit or building QtBase with GL ES support on AArch64. I hope we will do the transition within a couple of weeks, but it depends on my time and amount of other tasks. -- Dmitry Shachnev signature.asc Description: PGP signature
Bug#862452: Update to newer QtWebKit
Hi, FWIW, Fedora also updated their packages[1], and Archlinux had a qt5-webkit-ng package[2] since January, which recently got merged[3] back into the main qt5-webkit package. I'll have to disagree with this being a "wishlist" bug - Security wise, the old QtWebKit is worse than WebKitGTK 2.4, which gets dropped from buster[4] - we're talking about ~3 years of delta from upstream WebKit, including all security fixes in that timespan, which are missing from the current QtWebKit package. Even if Debian doesn't intend to provide security support[5] for QtWebKit, there are various packages depending on it which deal with untrusted input. There's also a lot of other bugfixes; a lot of websites break or segfault with the legacy QtWebKit package. Florian [1] http://lupinix.blogspot.ch/2017/06/improving-qtwebkit-security-for-fedora.html [2] https://lists.archlinux.org/pipermail/arch-dev-public/2017-January/028656.html [3] https://lists.archlinux.org/pipermail/arch-dev-public/2017-June/028895.html [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866671 [5] https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#browser-security -- https://www.qutebrowser.org | m...@the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ signature.asc Description: PGP signature
Bug#862452: Update to newer QtWebKit
On domingo, 14 de mayo de 2017 01:57:22 -03 Konstantin Tokarev wrote: > 13.05.2017, 19:00, "Dmitry Shachnev" : > > Hi Konstantin, > > > > On Sat, May 13, 2017 at 01:42:12PM +0300, Konstantin Tokarev wrote: > >> Note that there is unofficial package already: > >> > >> http://repo.paretje.be/unstable/# > >> > >> See packages libqt5webkit5, libqt5webkit5-dev > >> > >> Git repo of package is at > >> https://gitlab.com/paretje/qtwebkit/tree/master/debian > >> > >> Package is loosely based of webkitgtk's, and contains a few build > >> dependencies that are not actually needed: > >> > >> libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used > >> when > >> qtbase is built, not directly in qtwebkit) > >> libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, > >> libsecret-1-dev - not used at all > >> libxt-dev - probably unused as well > >> > >> Otherwise, packaging files look good to me > > > > Thanks for the information, it is very helpful! > > > > On Sat, May 13, 2017 at 02:03:10PM +0300, Konstantin Tokarev wrote: > >> Also, note that upcoming release is intended to be a drop-in replacement > >> of old QtWebKit to be used with older Qt versions too, as security > >> update.> > > This is also helpful, but if you mean that we should update the packages > > in Stretch too, then probably the answer is that we don’t have enough time > > for it... > > Yes, it would be great to update package in Stretch. What should be done to > make it possible? At this point in time, nothing. Too late I'm afraid. > It would be great to have package in backports repo for Jessie That will not happen because in order for a package to be able to be in jessie-backports it's very same version should be available in stretch. And we can't push it to stretch now. It might be possible to add it to stretch-backports once we get it into testing (ie, after stretch's release) but I am not really interested in doing it myself. Kinds regards, Lisandro. -- "One World, One web, One program" - Microsoft Promo ad. "Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/ signature.asc Description: This is a digitally signed message part.
Bug#862452: Update to newer QtWebKit
On Sat, May 13, 2017 at 10:08:07PM +0200, Giuseppe Bilotta wrote: On Sat, May 13, 2017 at 12:42 PM, Konstantin Tokarev wrote: Note that there is unofficial package already: http://repo.paretje.be/unstable/# See packages libqt5webkit5, libqt5webkit5-dev Git repo of package is at https://gitlab.com/paretje/qtwebkit/tree/master/debian Package is loosely based of webkitgtk's, and contains a few build dependencies that are not actually needed: libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when qtbase is built, not directly in qtwebkit) libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, libsecret-1-dev - not used at all libxt-dev - probably unused as well Otherwise, packaging files look good to me Interesting, thanks a lot. That looks like it will make the work much easier for the maintainers after the Stretch release, just what they were looking for ;-). I wonder if there's a reason why they went with the same package name instead of using a different name (say, libqt5webkit-ng5), and then adding Provides/Breaks to allow replacement. If I recall correctly, it was because of the versioned dependency of python3-pyqt5.qtwebkit. But, it seems I didn't look well, as support for versioned Provides has been added in 2014 ... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7330 signature.asc Description: PGP signature
Bug#862452: Update to newer QtWebKit
13.05.2017, 19:00, "Dmitry Shachnev" : > Hi Konstantin, > > On Sat, May 13, 2017 at 01:42:12PM +0300, Konstantin Tokarev wrote: >> Note that there is unofficial package already: >> >> http://repo.paretje.be/unstable/# >> >> See packages libqt5webkit5, libqt5webkit5-dev >> >> Git repo of package is at >> https://gitlab.com/paretje/qtwebkit/tree/master/debian >> >> Package is loosely based of webkitgtk's, and contains a few build >> dependencies that are not actually needed: >> >> libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when >> qtbase is built, not directly in qtwebkit) >> libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, >> libsecret-1-dev - not used at all >> libxt-dev - probably unused as well >> >> Otherwise, packaging files look good to me > > Thanks for the information, it is very helpful! > > On Sat, May 13, 2017 at 02:03:10PM +0300, Konstantin Tokarev wrote: >> Also, note that upcoming release is intended to be a drop-in replacement of >> old QtWebKit to be used with older Qt versions too, as security update. > > This is also helpful, but if you mean that we should update the packages > in Stretch too, then probably the answer is that we don’t have enough time > for it... Yes, it would be great to update package in Stretch. What should be done to make it possible? It would be great to have package in backports repo for Jessie > > -- > Dmitry Shachnev -- Regards, Konstantin
Bug#862452: Update to newer QtWebKit
13.05.2017, 23:08, "Giuseppe Bilotta" : > On Sat, May 13, 2017 at 12:42 PM, Konstantin Tokarev > wrote: >> Note that there is unofficial package already: >> >> http://repo.paretje.be/unstable/# >> >> See packages libqt5webkit5, libqt5webkit5-dev >> >> Git repo of package is at >> https://gitlab.com/paretje/qtwebkit/tree/master/debian >> >> Package is loosely based of webkitgtk's, and contains a few build >> dependencies that are not actually needed: >> >> libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when >> qtbase is built, not directly in qtwebkit) >> libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, >> libsecret-1-dev - not used at all >> libxt-dev - probably unused as well >> >> Otherwise, packaging files look good to me > > Interesting, thanks a lot. That looks like it will make the work much > easier for the maintainers after the Stretch release, just what they > were looking for ;-). > > I wonder if there's a reason why they went with the same package name > instead of using a different name (say, libqt5webkit-ng5), and then > adding Provides/Breaks to allow replacement. I doubt there will be a reason to keep old package as an installation option > > -- > Giuseppe "Oblomov" Bilotta -- Regards, Konstantin
Bug#862452: Update to newer QtWebKit
On Sat, May 13, 2017 at 12:42 PM, Konstantin Tokarev wrote: > Note that there is unofficial package already: > > http://repo.paretje.be/unstable/# > > See packages libqt5webkit5, libqt5webkit5-dev > > Git repo of package is at > https://gitlab.com/paretje/qtwebkit/tree/master/debian > > Package is loosely based of webkitgtk's, and contains a few build > dependencies that are not actually needed: > > libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when > qtbase is built, not directly in qtwebkit) > libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, libsecret-1-dev > - not used at all > libxt-dev - probably unused as well > > Otherwise, packaging files look good to me Interesting, thanks a lot. That looks like it will make the work much easier for the maintainers after the Stretch release, just what they were looking for ;-). I wonder if there's a reason why they went with the same package name instead of using a different name (say, libqt5webkit-ng5), and then adding Provides/Breaks to allow replacement. -- Giuseppe "Oblomov" Bilotta
Bug#862452: Update to newer QtWebKit
Hi Konstantin, On Sat, May 13, 2017 at 01:42:12PM +0300, Konstantin Tokarev wrote: > Note that there is unofficial package already: > > http://repo.paretje.be/unstable/# > > See packages libqt5webkit5, libqt5webkit5-dev > > Git repo of package is at > https://gitlab.com/paretje/qtwebkit/tree/master/debian > > Package is loosely based of webkitgtk's, and contains a few build > dependencies that are not actually needed: > > libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when > qtbase is built, not directly in qtwebkit) > libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, > libsecret-1-dev - not used at all > libxt-dev - probably unused as well > > Otherwise, packaging files look good to me Thanks for the information, it is very helpful! On Sat, May 13, 2017 at 02:03:10PM +0300, Konstantin Tokarev wrote: > Also, note that upcoming release is intended to be a drop-in replacement of > old QtWebKit to be used with older Qt versions too, as security update. This is also helpful, but if you mean that we should update the packages in Stretch too, then probably the answer is that we don’t have enough time for it... -- Dmitry Shachnev signature.asc Description: PGP signature
Bug#862452: Update to newer QtWebKit
Also, note that upcoming release is intended to be a drop-in replacement of old QtWebKit to be used with older Qt versions too, as security update. -- Regards, Konstantin
Bug#862452: Update to newer QtWebKit
Note that there is unofficial package already: http://repo.paretje.be/unstable/# See packages libqt5webkit5, libqt5webkit5-dev Git repo of package is at https://gitlab.com/paretje/qtwebkit/tree/master/debian Package is loosely based of webkitgtk's, and contains a few build dependencies that are not actually needed: libharfbuzz-dev, libfreetype6-dev, libfontconfig1-dev (these are used when qtbase is built, not directly in qtwebkit) libgnutls28-dev, libsoup2.4-dev, libenchant-dev, geoclue-2.0, libsecret-1-dev - not used at all libxt-dev - probably unused as well Otherwise, packaging files look good to me -- Regards, Konstantin
Bug#862452: Update to newer QtWebKit
Hi, On Fri, May 12, 2017 at 10:11:20PM +0200, Giuseppe Bilotta wrote: > QtWebKit has recently restarted, due to it being faster, > lighter and more standard compliant than the Blink-derived > QtWebEngine, see e.g. > > http://qtwebkit.blogspot.it/2016/08/qtwebkit-im-back.html > > for the announcement (and comparisons). A “Technology > Preview” compatible with Qt 5.8 is available > > https://github.com/annulen/webkit/releases/tag/qtwebkit-tp5 > > Would it be possible to package it (as `libqt5webkit-ng5` > for example) when Qt gets upgraded? Yes, it is planned to update qtwebkit for Buster, but this will only happen when we have Qt 5.9 in testing. It is not yet decided whether it will be the same source package or a new one, but in any case any help is welcome. -- Dmitry Shachnev
Bug#862452: Update to newer QtWebKit
Package: libqt5webkit5 Version: 5.7.1+dfsg-1 Severity: wishlist QtWebKit has recently restarted, due to it being faster, lighter and more standard compliant than the Blink-derived QtWebEngine, see e.g. http://qtwebkit.blogspot.it/2016/08/qtwebkit-im-back.html for the announcement (and comparisons). A “Technology Preview” compatible with Qt 5.8 is available https://github.com/annulen/webkit/releases/tag/qtwebkit-tp5 Would it be possible to package it (as `libqt5webkit-ng5` for example) when Qt gets upgraded? It might also be possible to package the previous Tech Preview 3 https://github.com/annulen/webkit/releases/tag/qtwebkit-tp3 for Qt 5.7. The upgrade would give better HTML5 support to browsers relying on this engine, such as the Otter browser, as shown in the Otter issue about MathML support: https://github.com/OtterBrowser/otter-browser/issues/1358 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libqt5webkit5 depends on: ii dpkg 1.18.23 ii libc6 2.24-10 ii libgl1-mesa-glx [libgl1] 13.0.6-1+b2 ii libglib2.0-0 2.50.3-2 ii libgstreamer-plugins-base1.0-01.10.4-1 ii libgstreamer1.0-0 1.10.4-1 ii libicu57 57.1-6 ii libjpeg62-turbo 1:1.5.1-2 ii libpng16-16 1.6.28-1 ii libqt5core5a [qtbase-abi-5-7-1] 5.7.1+dfsg-3+b1 ii libqt5gui55.7.1+dfsg-3+b1 ii libqt5network55.7.1+dfsg-3+b1 ii libqt5opengl5 5.7.1+dfsg-3+b1 ii libqt5printsupport5 5.7.1+dfsg-3+b1 ii libqt5qml5 [qtdeclarative-abi-5-7-0] 5.7.1-2+b2 ii libqt5quick5 5.7.1-2+b2 ii libqt5sql55.7.1+dfsg-3+b1 ii libqt5widgets55.7.1+dfsg-3+b1 ii libsqlite3-0 3.16.2-3 ii libstdc++66.3.0-17 ii libwebp6 0.5.2-1 ii libx11-6 2:1.6.4-3 ii libxcomposite11:0.4.4-2 ii libxml2 2.9.4+dfsg1-2.2 ii libxrender1 1:0.9.10-1 ii libxslt1.11.1.29-2.1 ii zlib1g1:1.2.8.dfsg-5 libqt5webkit5 recommends no packages. libqt5webkit5 suggests no packages. -- no debconf information