Your message dated Thu, 30 Aug 2012 17:51:36 +0200 with message-id <20120830155136.gc24...@inutil.org> and subject line Re: Bug#649625: webkit unmaintained security-wise (again) has caused the Debian Bug report #649625, regarding unmaintained security-wise (again) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 649625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649625 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: webkit Severity: grave Security support for webkit in Lenny was a total mess and we had to give up eventually. Prior to the Squeeze release it was stated that this wouldn't happen again, since there was a long term maintenance branch. This led to the following entry in the Squeeze release notes: http://www.debian.org/releases/stable/i386/release-notes/ch-information.de.html#browser-security Nine months later history repeats itself: I have no idea, whether this LTS branch exists, but webkit is - as in Squeeze - unmaintained wrt security updates. We've had one DSA in March and the list of open security issues is unmanageable. (This doesn't even include the huge list of issues, which potentially affect webkit due to chromium code heritage: http://security-tracker.debian.org/tracker/status/undetermined) So far, only two maintainer teams (essentially in both cases a one-man show) have shown that they're able to sustainably support a full featured browser with security updates; iceweasel and chromium. I guess the consequence is to pick one of the two as the default browser for Wheezy and to demote webkit as another unsupported HTML render engine usable to render a HTML help, but not for a full browser (just like khtml and qtwebkit) Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---On Thu, Dec 08, 2011 at 02:38:07PM -0200, Gustavo Noronha Silva wrote: > Hey, > > On Mon, 2011-12-05 at 21:00 +0100, Simon Paillard wrote: > > If the situation persists, it may be worth warning *squeeze* users, through > > a > > dedicated DSA/d-security-announce, as well as a dedicated paragraph in the > > next > > point release announce ? > > Yeah, that sounds sane. Unfortunately we (mostly myself) underestimated > the amount of work that it would take and overestimated the help we > would get, which is never a good thing. > > We briefly discussed this issue during the recent webkit hackfest and we > are trying to figure out a more sustainable way of providing security > support. If anyone would like to help, we can nominate people to the > webkit security mailing list, and have an IRC meeting along with other > WebKitGTK+ people to see what we could do about this, what do you say? A note has been added to the Wheezy release notes that webkit is not covered by security support. Closing this bug. Cheers, Moritz
--- End Message ---
