Hi, We have recently started updating all Fedoras to the latest stable release of WebKitGTK+ in order to provide effective security support. I'm pleased that so far we have had no bug reports related to these updates. Recently, FESCo wisely adopted a policy to ban stable release updates that break API or ABI, and while I believe we currently comply, we might be skirting the line a bit. We intend to offer a API and ABI compatibility indefinitely, most likely until GTK+ 4 is released, whenever that may be, but with two caveats. First, the stable DOM bindings API/ABI will not change, but may cease to function properly if something is removed from the DOM spec. In the worst case, application crashes are possible, e.g. if an application is not expecting a function to return NULL. To avoid friction with other WebKit contributors, we cannot provide compatibility here. To my knowledge, no real world application has ever been affected by such an issue, and the odds of real world breakage here are much lower than with a typical bugfix update, so I don't see the need to worry about this -- it's just something to be aware of. If your open source application is ever unlucky enough to be affected by such an issue, we will help fix it. WebKitGTK+ also offers a larger, unstable DOM API accessible if WEBKIT_DOM_USE_UNSTABLE_API is defined. Here API/ABI compatibility is restricted to micro 2.x.y version updates; the API/ABI *will* break in a minor version update (2.x), and these updates will occur within the lifetime of a particular stable Fedora release. The only practical way to avoid API changes here is to not update WebKit and live with unfixed remote code execution vulnerabilities. Backports are not practical. Currently known users of this API are Epiphany and Yelp; since only two applications are affected, I don't consider this a practical problem. If your Fedora package needs to use this API, contact me privately so that we can know to take responsibility for rebuilding your application when needed and avoid broken updates. Third-party applications are strongly encouraged to avoid using this API. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
