Demi Marie Obenour wrote:
I can’t help with maintenance, but I honestly wonder if some of these programs could be modified to shell out to a browser subprocess.
That is not a reasonable solution. Those applications need embedded HTML in the UI, not a separate browser window. And it does not help at all if the browser that is shelled out to itself uses QtWebEngine.
Even if Fedora shipped QtWebEngine releases the day they were tagged in git, this would still not be enough for security. Not when upstream itself is lagging so badly.
But it would be better than now where we are sitting on dozens of security fixes, some of them critical, for 3+ MONTHS!
I also wonder if some features of QtWebEngine, such as the V8 JIT compiler or even scripting as a whole, ought to be proactively disabled.
-1 to that from me as the maintainer of Falkon. It would completely break Falkon. Hardly any website these days works without JavaScript (unfortunately).
There is absolutely no reason for KMail to be running untrusted scripts, and disabling them mitigates many if not most vulnerabilities.
KMail can (and, I believe, already does) disable JavaScript in its HTML views.
Kevin Kofler