desktop-packages team mailing list archive

Thread
Date

[Bug 1532606] Re: depends on libwebkitgtk3 which doesn't have security support

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Sebastien Bacher <seb128@xxxxxxxxxx>
Date: Mon, 11 Jan 2016 09:03:44 -0000
Reply-to: Bug 1532606 <1532606@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: zenity (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: zenity (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to zenity in Ubuntu.
https://bugs.launchpad.net/bugs/1532606

Title:
  depends on libwebkitgtk3 which doesn't have security support

Status in zenity package in Ubuntu:
  Triaged
Status in zenity package in Debian:
  New

Bug description:
  libgwebkitgtk and libwebkitgtk3 are not maintained upstream and contain 100s of active CVEs.
  It sure would be great if users of large DEs that depend on Zenity could opt-out on those CVEs...

  >   I see that zenity has a configure flag to enable/disable webkit support,
  >   would it be possible to provide a zenity-nohtml package that would
  >   "Provides: zenity" so I can keep my *DE installed without depending on a package that has
  >   no security support?

  Because zenity might not be dealing with untrusted HTML content,
  I'm not flagging this one with "security"

  For those that didn't know DANGEROUS packages may be shipped:
  You can use the package "debian-security-support", it'll tell you automatically.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zenity/+bug/1532606/+subscriptions

References

[Bug 1532606] [NEW] depends on libwebkitgtk3 which doesn't have security support
From: apport hater, 2016-01-10