Review Request 129233: [kdelibs] Make Qt4 WebKit optional (default on)

Michael Pyne mpyne at kde.org
Sat Oct 21 21:42:55 BST 2017



> On Dec. 13, 2016, 9:11 p.m., Albert Astals Cid wrote:
> > I honestly can't see how this would count as "bugfix".
> 
> Heiko Becker wrote:
>     I see it as a security fix, considering that even Qt5Webkit is probably affected by a three digit number of security issues in its old Webkit and that Qt4Webkit is even based on an older version of Webkit. Especially with the above mentioned htmlthumbnailer the attack surface is possible rather huge and in addition not even that obvious to the unsuspecting user.
>     
>     Anyway I have applied this downstream and kicked out htmlthumbnailer from kde-runtime.
> 
> Andreas Sturmlechner wrote:
>     One last ping before close - we've been applying this downstream since 4.14.22 without issues (in fact people have had it enabled or disabled via use flag depending on their setups and provided valuable testing), and not a single bug was raised. Obviously with this flag it is the job of the packagers to determine if they have any qtwebkit reverse-dependencies left, but by default nothing changes.

The "bugfix only" policy is intended to give some improved guarantees that upgrades won't break existing software.  But since we've had packagers already testing this patch for a year now, I think the patch has received more than enough testing to make us able to worry less about breaking user systems.

On top of the potential reduction in attack surface made possible by this restructuring, I think it is in our users' best interest to apply the patch.

+1 from me.


- Michael


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/129233/#review101423
-----------------------------------------------------------


On Dec. 11, 2016, 3:07 p.m., Andreas Sturmlechner wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/129233/
> -----------------------------------------------------------
> 
> (Updated Dec. 11, 2016, 3:07 p.m.)
> 
> 
> Review request for kdelibs.
> 
> 
> Repository: kdelibs
> 
> 
> Description
> -------
> 
> Provide a switch for distributions to disable build of kdewebkit and
> kdewebkit-widgets, to support efforts on getting rid of Qt4 WebKit.
> 
> The implications of this for KDE Applications packages are, at this
> point (16.12.0), negligible:
> 
> kde-runtime/drkonqi
> kde-runtime/kioslave (htmlthumbnail, removable with little effort, probably no reverse dep left)
> kde-runtime/plasma (no reverse deps left)
> pykde4 (with rdep: kajongg)
> 
> 
> Diffs
> -----
> 
>   CMakeLists.txt f1266655c512474626b68565a2830dae5828bf57 
>   kdewidgets/CMakeLists.txt 51536017ac0a3a86e164e30b80840a89aa3a8248 
>   plasma/CMakeLists.txt b9214388d72122ae9c5709b6956a8b8e13ccd3aa 
> 
> 
> Diff: https://git.reviewboard.kde.org/r/129233/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andreas Sturmlechner
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20171021/b55443e9/attachment.htm>


More information about the kde-core-devel mailing list