GNU bug report logs - #53289
Removing QtWebKit

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#53289: closed (Re: Removing QtWebKit)
Date: Fri, 17 Feb 2023 19:54:01 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#53289: Removing QtWebKit

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 53289 <at> debbugs.gnu.org.

-- 
53289: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=53289
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: 53289-done <at> debbugs.gnu.org
Subject: Re: Removing QtWebKit
Date: Fri, 17 Feb 2023 14:53:04 -0500

On Sat, Jan 15, 2022 at 02:34:24PM -0500, Leo Famulari wrote:
> We need to remove QtWebKit from the distro.

Done with commit 861d6fa92c465920e65db47ee4fac531156500ec

[Message part 3 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Removing QtWebKit
Date: Sat, 15 Jan 2022 14:34:24 -0500

We need to remove QtWebKit from the distro.

The upstream project says this when you go to their download page:

------
WARNING: This release is based on old WebKit revision with known
unpatched vulnerabilities. Please use it carefully and avoid visiting
untrusted websites and using it for transmission of sensitive data.
Please wait for new release from qtwebkit-dev branch to use it with
untrusted content.
------

And a bit of discussion from the oss-sec mailing list [0], quoting here:

------
QtWebKit was a rendering engine for web content released with Qt until
5.6. It was replaced with QtWebEngine after that.

Despite a community fork in 2016, nothing really happened to keep it
alive and secure.
------

And:

------
Readers of this list will likely be familiar with the regular postings
regarding WebKitGTK vulnerabilities: many of them are likely applicable
to QtWebKit too, especially the WebKitGTK-based fork
------

So, the dozens (hundreds?) of notable security bugs fixed in WebKitGTK
are totally unfixed in QtWebKit. Many of these bugs are considered
"arbitrary code execution" bugs.

And the broader context is that there won't be a future for this
package, as Qt has abandoned WebKit in favor of Chromium. This package
will not improve.

If people want to keep using QtWebKit, they can maintain it in a
channel.

[0] https://seclists.org/oss-sec/2021/q3/66

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.