On Thu, 2015-11-05 at 10:22 -0600, Yaakov Selkowitz wrote: > On Thu, 2015-11-05 at 09:53 -0600, Michael Catanzaro wrote: > > On Thu, 2015-11-05 at 16:21 +0100, Jos Vos wrote: > > > I see that the F23 Xfce live image still includes only Midori as > > > the > > > internet browser, similar to the F22 image. > > > > Midori still depends on an old version of WebKitGTK+, so it has not > > had > > any security updates in a long time. It's irresponsible to ship it > > until this is fixed. > > WebKitGTK+ 2.4.9 was shipped in May, and 2.4.8 before that in January > with a bunch of security fixes, all despite the fact that they had > since > released 2.6.x and 2.8.x. This tells me that the 2.4 branch, while > deprecated, continues to be maintained. Note: The 2.4 branch was the last branch that contained the WebKit1 API; that's why we still have it in Fedora and why apps still use it. It's a compatibility package. 2.4.9 was probably the last 2.4 release (at least we have no commitment or plan to do further releases); the goal of that release was to fix the Windows build, since Windows support was removed in 2.6, and Windows users were needing several downstream patches to build 2.4.8. The 2.4.9 release had maybe one or two security fixes that happened to be easy to backport. The real security support ended in January with the 2.4.8 release. It would be quite unlikely to see any further security updates for the 2.8 branch (in F22), let alone 2.6 (in F21) or 2.4, though we informally consider 2.8 to still be supported. I am very concerned about keeping old releases of WebKit in supported Fedora releases; the reason we do that is that the updates have an unusually-high chance of regressions, but web engines are special and I think that does not outweigh the cost of not getting security updates. Note that these security updates are quite complicated to backport, so if there is no upstream release, the fixes will not arrive in Fedora; there aren't 2.4 releases anymore due to the complexity of the backports. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
