Browser choice in live images

Michael Catanzaro mcatanzaro at gnome.org
Thu Nov 5 17:49:09 UTC 2015 

On Thu, 2015-11-05 at 10:22 -0600, Yaakov Selkowitz wrote:
> On Thu, 2015-11-05 at 09:53 -0600, Michael Catanzaro wrote:
> > On Thu, 2015-11-05 at 16:21 +0100, Jos Vos wrote:
> > > I see that the F23 Xfce live image still includes only Midori as
> > > the
> > > internet browser, similar to the F22 image.
> > 
> > Midori still depends on an old version of WebKitGTK+, so it has not
> > had
> > any security updates in a long time. It's irresponsible to ship it
> > until this is fixed.
> 
> WebKitGTK+ 2.4.9 was shipped in May, and 2.4.8 before that in January
> with a bunch of security fixes, all despite the fact that they had
> since
> released 2.6.x and 2.8.x.  This tells me that the 2.4 branch, while
> deprecated, continues to be maintained.

Note: The 2.4 branch was the last branch that contained the WebKit1
API; that's why we still have it in Fedora and why apps still use it.
It's a compatibility package.

2.4.9 was probably the last 2.4 release (at least we have no commitment
or plan to do further releases); the goal of that release was to fix
the Windows build, since Windows support was removed in 2.6, and
Windows users were needing several downstream patches to build 2.4.8.
The 2.4.9 release had maybe one or two security fixes that happened to
be easy to backport. The real security support ended in January with
the 2.4.8 release.

It would be quite unlikely to see any further security updates for the
2.8 branch (in F22), let alone 2.6 (in F21) or 2.4, though we
informally consider 2.8 to still be supported. I am very concerned
about keeping old releases of WebKit in supported Fedora releases; the
reason we do that is that the updates have an unusually-high chance of
regressions, but web engines are special and I think that does not
outweigh the cost of not getting security updates.

Note that these security updates are quite complicated to backport, so
if there is no upstream release, the fixes will not arrive in Fedora;
there aren't 2.4 releases anymore due to the complexity of the
backports.

Michael

More information about the devel mailing list