Moritz Muehlenhoff
2011-Nov-22 20:39 UTC
[Secure-testing-team] Bug#649625: unmaintained security-wise (again)
Source: webkit
Severity: grave
Security support for webkit in Lenny was a total mess and we had
to give up eventually. Prior to the Squeeze release it was stated that this
wouldn''t happen again, since there was a long term maintenance
branch.
This led to the following entry in the Squeeze release notes:
http://www.debian.org/releases/stable/i386/release-notes/ch-information.de.html#browser-security
Nine months later history repeats itself:
I have no idea, whether this LTS branch exists, but webkit is
- as in Squeeze - unmaintained wrt security updates.
We''ve had one DSA in March and the list of open security issues
is unmanageable. (This doesn''t even include the huge list of
issues, which potentially affect webkit due to chromium code
heritage:
http://security-tracker.debian.org/tracker/status/undetermined)
So far, only two maintainer teams (essentially in both cases
a one-man show) have shown that they''re able to sustainably
support a full featured browser with security updates;
iceweasel and chromium.
I guess the consequence is to pick one of the two as the
default browser for Wheezy and to demote webkit as another
unsupported HTML render engine usable to render a HTML
help, but not for a full browser (just like khtml and qtwebkit)
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash