Re: Release notes entry for web browser security support
On Wed, Feb 02, 2011 at 07:33:27PM +0100, Julien Cristau wrote: > On Mon, Jan 10, 2011 at 20:56:01 +0100, Moritz Muehlenhoff wrote: > > > State of browser support > > > > Debian Squeeze includes several browser engines which are affected by a > > frequent > > stream of security vulnerabilities. The high rate of vulnerabilities > > and lack of upstream support in the form of long term branches make it > > close to impossible to support these browsers with backported security > > fixes. Additionally, library interdepencies make it impossible to update to > > newer > > upstream releases. As such, browsers built upon the webkit, qtwebkit > > and khtml engines are included in Squeeze, but not covered by full security > > support. We will make an effort to track down and backport security fixes, > > but in general these browsers should not be used against untrusted websites. > > > > For general web browser use we recommend browsers building on the > > Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner > > has had a history of good backportability for older releases over the > > previous release cycles. > > > > Chromium - while build upon the Webkit codebase - is a leaf package, i.e. > > if backporting becomes no longer feasible, there's still the possibility of > > upgrading to a later upstream release (which is not possible for the > > webkit library itself). > > > Should I include this in the release notes then, or does the webkit part > need changes? Slightly modified (including the fact that there's in fact a LTS branch by Collabora and Red Hat): --- Debian Squeeze includes several browser engines which are affected by a frequent stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdepencies make it impossible to update to newer upstream releases. As such, browsers built upon the qtwebkit and khtml engines are included in Squeeze, but not covered by full security support. We will make an effort to track down and backport security fixes, but in general these browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape), browsers based on the Webkit engine (e.g. Epiphany) or Chromium. Xulrunner has had a history of good backportability for older releases over the previous release cycles. Chromium - while build upon the Webkit codebase - is a leaf package, i.e. if backporting becomes no longer feasible, there's still the possibility of upgrading to a later upstream release (which is not possible for the webkit library itself). Webkit is supported by upstream with a long term maintenance branch. --- Cheers, Moritz -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110202200144.GA4624@pisco.westfalen.local
Re: Release notes entry for web browser security support
On Wed, Feb 2, 2011 at 21:01:44 +0100, Moritz Mühlenhoff wrote: > Slightly modified (including the fact that there's in fact a LTS branch > by Collabora and Red Hat): > Thanks, committed. Cheers, Julien signature.asc Description: Digital signature
Re: Release notes entry for web browser security support
On Mon, Jan 10, 2011 at 20:56:01 +0100, Moritz Muehlenhoff wrote: > State of browser support > > Debian Squeeze includes several browser engines which are affected by a > frequent > stream of security vulnerabilities. The high rate of vulnerabilities > and lack of upstream support in the form of long term branches make it > close to impossible to support these browsers with backported security > fixes. Additionally, library interdepencies make it impossible to update to > newer > upstream releases. As such, browsers built upon the webkit, qtwebkit > and khtml engines are included in Squeeze, but not covered by full security > support. We will make an effort to track down and backport security fixes, > but in general these browsers should not be used against untrusted websites. > > For general web browser use we recommend browsers building on the > Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner > has had a history of good backportability for older releases over the > previous release cycles. > > Chromium - while build upon the Webkit codebase - is a leaf package, i.e. > if backporting becomes no longer feasible, there's still the possibility of > upgrading to a later upstream release (which is not possible for the > webkit library itself). > Should I include this in the release notes then, or does the webkit part need changes? Cheers, Julien signature.asc Description: Digital signature
Re: Release notes entry for web browser security support
On Mon, Jan 10, 2011 at 08:56:01PM +0100, Moritz Muehlenhoff wrote: [...] > -- > State of browser support > > Debian Squeeze includes several browser engines which are affected by a > frequent > stream of security vulnerabilities. The high rate of vulnerabilities [...] I'm not a native speaker, but "a frequent stream" sounds strange to me; "a steady stream" would be more appropriate IMO. Or even drop "the stream" and just use "frequently affected by security vulnerabilities". -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110110231817.go5...@localhost.localdomain
Release notes entry for web browser security support
Hi, as discussed before (http://lists.debian.org/debian-release/2010/08/msg01848.html) we need to document the de-facto status of Squeeze browser support in the release notes. Proposed text below. Any objections and/or spelling improvements by native speakers? [Webkit, Chromium and KDE maintainers CC.] Cheers, Moritz -- State of browser support Debian Squeeze includes several browser engines which are affected by a frequent stream of security vulnerabilities. The high rate of vulnerabilities and lack of upstream support in the form of long term branches make it close to impossible to support these browsers with backported security fixes. Additionally, library interdepencies make it impossible to update to newer upstream releases. As such, browsers built upon the webkit, qtwebkit and khtml engines are included in Squeeze, but not covered by full security support. We will make an effort to track down and backport security fixes, but in general these browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner has had a history of good backportability for older releases over the previous release cycles. Chromium - while build upon the Webkit codebase - is a leaf package, i.e. if backporting becomes no longer feasible, there's still the possibility of upgrading to a later upstream release (which is not possible for the webkit library itself). Cheers, Moritz -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110110195601.ga9...@inutil.org