Michael Catanzaro wrote:
I propose we retire the webkitgtk and webkitgtk3 packages when
branching rawhide for F26 (expected to occur roughly February 2017),
and forbid unretiring them. All their dependencies would then be
removed from from Fedora according to the normal process shortly before
the release of F27 (excepted to occur May 2017). If nobody objects,
we'll carry out this plan shortly after the F26 branch point.
Looking at the terabazillion affected packages, this will be a trainwreck!
For QtWebKit, everyone was saying that it is impossible to keep supporting
the old API. Then someone came and just did it. IMHO, this is the only
practicable solution for WebKitGTK as well. Well, that or port all the
applications in the list.
There are some extremely-high-profile applications in your list of affected
packages: GIMP, SAGE (sagemath), Audacity, etc., and even GNOME Shell! (Now
*I* wouldn't complain if GNOME Shell were removed from Fedora, but… ;-) ) So
removing all those packages from Fedora, and even effectively forbidding
them from being readded, is not practicable.
Answer: If you're sure your application never processes
untrusted
input, it is a special flower. You should request a bundling exception
from FESCo if you do not intend to upgrade.
So you want to replace one copy of vulnerable code by many copies of
vulnerable code? How is that going to help any? It would also severely bloat
the distribution, given the huge size of WebKit. This is just totally
impractical.
Kevin Kofler