On Tue, May 30, 2017 at 5:47 PM, Jeremy Bicha wrote:
> On Tue, May 30, 2017 at 5:32 PM, Moritz Mühlenhoff wrote:
>> You're best technical bet would be to upgrade to new webkit releases in
>> stretch point releases, this would allow proper binNMUs and allow
>> people to testdrive via s-p-u. But th
On Tue, May 30, 2017 at 5:32 PM, Moritz Mühlenhoff wrote:
> You're best technical bet would be to upgrade to new webkit releases in
> stretch point releases, this would allow proper binNMUs and allow
> people to testdrive via s-p-u. But that's up for the SRMs to
> decide (and I doubt they want to
Alberto Garcia wrote:
> The problem is that point releases with fixes for CVEs can also
> introduce regressions (#855103, introduced in 2.14.4). That one was
> fixed quickly, though, but that's why I was asking.
The security archive doesn't scale to play catchup with all those
rdeps. There's too m
On Sun, May 28, 2017 at 09:32:23PM -0400, Jeremy Bicha wrote:
> > The good news is that the first kind of problems are detected and
> > fixed immediately, so waiting a couple of weeks before uploading
> > the releases to debian-security could be an option (is that what
> > Ubuntu does?).
>
> For t
On Sun, May 28, 2017 at 7:19 PM, Alberto Garcia wrote:
> The good news is that the first kind of problems are detected and
> fixed immediately, so waiting a couple of weeks before uploading
> the releases to debian-security could be an option (is that what
> Ubuntu does?).
For the past 9 months,
On 2017-05-27 23:49, Moritz Mühlenhoff wrote:
> The "browser exception" applies to Chromium and Firefox, which are
> standalone packages (sans a few addons breaking), but unless webkit
> provides a long term branch with API stability guarantees, that's
> not a workable. "Rebase to a new 2.x branch
On Sat, May 27, 2017 at 5:49 PM, Moritz Mühlenhoff wrote:
> The "browser exception" applies to Chromium and Firefox, which are
> standalone packages (sans a few addons breaking), but unless webkit
> provides a long term branch with API stability guarantees, that's
> not a workable. "Rebase to a ne
Jeremy Bicha schrieb:
> understanding is that the Debian Security team has absolutely refused
> to extend the "browser exception" (to allow major new versions) to
> webkit2gtk,
The "browser exception" applies to Chromium and Firefox, which are
standalone packages (sans a few addons breaking), but
On Sun, May 21, 2017 at 9:43 AM, Adrian Bunk wrote:
> 2. WebKitGTK+
The primary package of concern here in Debian Stretch is webkit2gtk .
For a year now, Ubuntu has been updating webkit2gtk [1] as security
updates [2] just fine. Ubuntu 16.04 LTS started with 2.10 and has
upgraded it to the majo
Both the jessie release notes [1] and the draft stretch release notes [2]
contain the following text:
5.2.1. Security status of web browsers
Debian 9 includes several browser engines which are affected by a steady
stream of security vulnerabilities. The high rate of vulnerabilities and
10 matches
Mail list logo
