Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-10-08 Thread Scott Talbert
On Thu, 22 Sep 2016, Michael Catanzaro wrote: Thanks for working on this Scott! On Thu, 2016-09-22 at 20:37 -0400, Scott Talbert wrote: Also, I plan to create a separate wxGTK3 subpackage containing the webview  library that actually uses WebKit.  That way, some of these artificial 

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-09-22 Thread Michael Catanzaro
Thanks for working on this Scott! On Thu, 2016-09-22 at 20:37 -0400, Scott Talbert wrote: > Also, I plan to create a separate wxGTK3 subpackage containing the > webview  > library that actually uses WebKit.  That way, some of these > artificial  > transitive dependencies on WebKit should go away.

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-09-22 Thread Sérgio Basto
On Qui, 2016-09-22 at 20:37 -0400, Scott Talbert wrote: > On Fri, 23 Sep 2016, Sérgio Basto wrote: > > > > > Hello , > > What is the status of this proposal ? or where/how I can follow the > > status ?  > > My biggest concern is about wxGTK3 some package depend on it, also > > in > > 3rd part

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-09-22 Thread Scott Talbert
On Fri, 23 Sep 2016, Sérgio Basto wrote: Hello , What is the status of this proposal ? or where/how I can follow the status ?  My biggest concern is about wxGTK3 some package depend on it, also in 3rd part repos and gimp !    I'm working on porting wxGTK3 to WebKit2. If you want, you can

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-09-22 Thread Sérgio Basto
On Sex, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > Question: Where can I learn more? > > Answer: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-secur > ity-updates/ > > > Question: What would be removed if this were to occur today? > > Answer: If you read this far, please

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Kevin Kofler
Michael Catanzaro wrote: > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017), > and forbid unretiring them. All their dependencies would then be > removed from from Fedora according to the normal process shortly

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Ben Boeckel
On Wed, Jun 15, 2016 at 19:24:35 -0500, Michael Catanzaro wrote: > The reason we don't offer a sync API is that it could cause your > application to hang during IPC between the browser process and the web > process. Understood. It's one of the reasons we're looking at getting the "uzbl" bits

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Michael Catanzaro
On Wed, 2016-06-15 at 19:50 -0400, Ben Boeckel wrote: > That works if you can deal with the result being asynchronous, but if > your callback doesn't belong in the GUI thread… Ah, I think this arose from the discussion about disabling/enabling context menu items. [1] is related. The reason we

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Ben Boeckel
On Wed, Jun 15, 2016 at 18:23:00 -0500, Michael Catanzaro wrote: > On Wed, 2016-06-15 at 22:26 +, Ben Boeckel wrote: > > Note that running JavaScript code in the context of the webpage also > > requires an extension (AFAICS). > > Fortunately, you can actually do this from the UI process using

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Michael Catanzaro
On Wed, 2016-06-15 at 22:26 +, Ben Boeckel wrote: > Note that running JavaScript code in the context of the webpage also > requires an extension (AFAICS). Fortunately, you can actually do this from the UI process using webkit_web_view_run_javascript() and

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-15 Thread Ben Boeckel
On Fri, 10 Jun, 2016 at 16:39:21 GMT, Michael Catanzaro wrote: > If your app does use the DOM API, you have more work as you need to > create a web process extension to access this API. You can use any form > of IPC to communicate between the UI process and the web process; D-Bus > is a good

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-14 Thread Kevin Fenzi
On Sun, 12 Jun 2016 11:28:00 - "Christian Stadelmann" wrote: > I like this idea very much, thank you! > > Independent to whether this proposal is accepted or not, I'd like to > point out that it would be very useful to notify all maintainers of > this issue,

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-13 Thread Milan Crha
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > Active porting efforts are underway for Evolution (which will take > care of the mass of evolution-data-server dependencies like gnome- > shell and gdm) Hi, I think it's a very important detail, because if I remove the

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-13 Thread Milan Crha
On Fri, 2016-06-10 at 11:39 -0500, Michael Catanzaro wrote: > There's no transition documentation. Basically, you want to make sure > your package builds when switching the pkg-config version in > configure.ac to webkit2gtk-4.0. Hi, feel free to check out what the evolution-data-server

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-12 Thread Christian Stadelmann
I like this idea very much, thank you! Independent to whether this proposal is accepted or not, I'd like to point out that it would be very useful to notify all maintainers of this issue, probably by filing a bug to every package that uses one of these packages (webkitgtk, webkitgtk3), adding

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Igor Gnatenko
On Jun 10, 2016 8:32 PM, "Scott Talbert" wrote: > > On Fri, 10 Jun 2016, Michael Catanzaro wrote: > >> Question: What if my application depends on GTK+ 2? >> >> Answer: You must first port to GTK+ 3, then port to WebKit2. You may >> find it more practical to stop using

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Scott Talbert
On Fri, 10 Jun 2016, Michael Catanzaro wrote: Question: What if my application depends on GTK+ 2? Answer: You must first port to GTK+ 3, then port to WebKit2. You may find it more practical to stop using WebKitGTK+. What is the WebKit2 package in Fedora? Is that webkitgtk4? Scott -- devel

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > Answer: QtWebKit has not had security updates since ~2012 The QtWebKit folks asked me to point out that they were merging security fixes until 2014. More information is available at [1]; you can judge the situation for yourself. [1] 

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
On Fri, 2016-06-10 at 15:02 +0100, Richard W.M. Jones wrote: > What do we actually have to do to move apps that are using the > Webkit API to the new version?  What code changes are needed? > Is there documentation for this? There's no transition documentation. Basically, you want to make sure

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
On Fri, 2016-06-10 at 09:58 -0400, Josh Boyer wrote: > > > I am all for anything that removes emacs from our distribution.  How > can I help ensure this happens? > > Serious answer: the Emacs dependency on unsupported WebKit was added two months ago and can be avoided by changing a configure

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Richard W.M. Jones
What do we actually have to do to move apps that are using the Webkit API to the new version? What code changes are needed? Is there documentation for this? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog:

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Josh Boyer
On Fri, Jun 10, 2016 at 9:11 AM, Michael Catanzaro wrote: > Hi, > > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017), > and forbid unretiring them. All their dependencies would then be >

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017), > and forbid unretiring them. All their dependencies would then be > removed from from Fedora

Re: Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017) To clarify: I propose removing the packages from rawhide (only) shortly after branching for F26, that

Proposal: remove insecure WebKitGTK+ packages for F27

2016-06-10 Thread Michael Catanzaro
Hi, I propose we retire the webkitgtk and webkitgtk3 packages when branching rawhide for F26 (expected to occur roughly February 2017), and forbid unretiring them. All their dependencies would then be removed from from Fedora according to the normal process shortly before the release of F27