Debian Bug report logs - #594550
RM: webkit/1.0.1-4+lenny2

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Fri, 27 Aug 2010 04:06:01 UTC

Severity: normal

Tags: lenny, moreinfo

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Fri, 27 Aug 2010 04:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 27 Aug 2010 04:06:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Cc: secure-testing-team@lists.alioth.debian.org
Subject: RM: webkit/1.0.1-4+lenny2
Date: Fri, 27 Aug 2010 00:01:37 -0400
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: rm
Severity: normal

Hi,

The lenny webkit package has an insurmountable number of security
vulnerabilities [0].  The version included there was of an experimental
nature, and the only front end available is the builtin GtkLauncher
app, which isn't very functional itself and is likely used by no one.
There are no reverse dependencies.

Please remove the package for the upcoming lenny point release.  I've
brought this up with the security team and webkit maintainers [1],[2],
and there has so far been no objection.  However, I also didn't get
any responses either way.  You may want to try to touch base with
either/both teams directly.

I think removal is the only supportable course of action.

Thanks,
Mike

[0] http://security-tracker.debian.org/tracker/source-package/webkit
[1] http://lists.alioth.debian.org/pipermail/pkg-webkit-maintainers/2010-August/001541.html
[2] http://lists.alioth.debian.org/pipermail/secure-testing-team/2010-August/004281.html




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Fri, 27 Aug 2010 05:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 27 Aug 2010 05:30:03 GMT) Full text and rfc822 format available.

Message #10 received at 594550@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Fri, 27 Aug 2010 06:27:16 +0100
On Fri, 2010-08-27 at 00:01 -0400, Michael Gilbert wrote:
> The lenny webkit package has an insurmountable number of security
> vulnerabilities [0].  The version included there was of an experimental
> nature, and the only front end available is the builtin GtkLauncher
> app, which isn't very functional itself and is likely used by no one.
> There are no reverse dependencies.

Yes there are - libwebkit1.0-cil from webkit-sharp, which is in turn a
reverse dependency of mono-tools-gui.

Regards,

Adam




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Fri, 27 Aug 2010 06:54:03 GMT) Full text and rfc822 format available.

Message #13 received at 594550@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org
Cc: secure-testing-team@lists.alioth.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Fri, 27 Aug 2010 08:49:54 +0200
[Message part 1 (text/plain, inline)]
On Fri, Aug 27, 2010 at 12:01:37AM -0400, Michael Gilbert wrote:
> The lenny webkit package has an insurmountable number of security
> vulnerabilities [0].  The version included there was of an experimental
> nature, and the only front end available is the builtin GtkLauncher
> app, which isn't very functional itself and is likely used by no one.
> There are no reverse dependencies.
> 
> Please remove the package for the upcoming lenny point release.  I've
> brought this up with the security team and webkit maintainers [1],[2],
> and there has so far been no objection.  However, I also didn't get
> any responses either way.  You may want to try to touch base with
> either/both teams directly.
> 
> I think removal is the only supportable course of action.

The secure-testing list is inappropriate to ask the security team about a
package in Lenny.  Please use the appropriate contact and get them to reply.
Some CVEs are listed as "minor issue - no DSA", so it wouldn't be valid
to remove it for that.  (Sadly it seems that there's no overview to list
a package's vulnerabilities in Lenny at a glance?)

Kind regards,
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo and lenny. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 27 Aug 2010 12:12:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Fri, 27 Aug 2010 15:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 27 Aug 2010 15:03:05 GMT) Full text and rfc822 format available.

Message #20 received at 594550@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 594550@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Cc: security@debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Fri, 27 Aug 2010 10:56:54 -0400
On Fri, 27 Aug 2010 08:49:54 +0200, Philipp Kern wrote:
> On Fri, Aug 27, 2010 at 12:01:37AM -0400, Michael Gilbert wrote:
> > The lenny webkit package has an insurmountable number of security
> > vulnerabilities [0].  The version included there was of an experimental
> > nature, and the only front end available is the builtin GtkLauncher
> > app, which isn't very functional itself and is likely used by no one.
> > There are no reverse dependencies.
> > 
> > Please remove the package for the upcoming lenny point release.  I've
> > brought this up with the security team and webkit maintainers [1],[2],
> > and there has so far been no objection.  However, I also didn't get
> > any responses either way.  You may want to try to touch base with
> > either/both teams directly.
> > 
> > I think removal is the only supportable course of action.
> 
> The secure-testing list is inappropriate to ask the security team about a
> package in Lenny.  Please use the appropriate contact and get them to reply.

I was more concerned about getting feedback from the webkit
developers.  I've already talked to Moritz Muehlenhoff from the
security team about this directly.

> Some CVEs are listed as "minor issue - no DSA", so it wouldn't be valid
> to remove it for that.  

Perhaps 10 of the 50 or so issues are no-dsa.  I think it's valid to
remove it due to the 40 other issues.

> (Sadly it seems that there's no overview to list
> a package's vulnerabilities in Lenny at a glance?)

No, there currently isn't a straightfoward way to do that.  However,
you could look at the stable overall page and count the number of
webkit issues there.

However, it seems a direct removal isn't so straightforward since there
are two reverse dependencies: mono-tools-gui and
claws-mail-extra-plugins. Note that the popcon counts are low for
those: 131 [1] and 258 [2] respectively.  Perhaps it would be ok to
remove them as well?

Or perhaps instead there could be an end-of-life security announcement?

Thanks,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Sat, 28 Aug 2010 21:15:03 GMT) Full text and rfc822 format available.

Message #23 received at 594550@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org
Cc: secure-testing-team@lists.alioth.debian.org, security@debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Sat, 28 Aug 2010 23:13:37 +0200
[Message part 1 (text/plain, inline)]
On Fri, Aug 27, 2010 at 10:56:54AM -0400, Michael Gilbert wrote:
> However, it seems a direct removal isn't so straightforward since there
> are two reverse dependencies: mono-tools-gui and
> claws-mail-extra-plugins. Note that the popcon counts are low for
> those: 131 [1] and 258 [2] respectively.  Perhaps it would be ok to
> remove them as well?

You seem to have another perception of low than me.

Kind regards,
Philipp Kern 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Tue, 31 Aug 2010 16:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 31 Aug 2010 16:12:03 GMT) Full text and rfc822 format available.

Message #28 received at 594550@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 594550@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org, debian-release@lists.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Tue, 31 Aug 2010 18:09:16 +0200
On Fri, Aug 27, 2010 at 10:56:54AM -0400, Michael Gilbert wrote:
> On Fri, 27 Aug 2010 08:49:54 +0200, Philipp Kern wrote:
> > On Fri, Aug 27, 2010 at 12:01:37AM -0400, Michael Gilbert wrote:
> > > The lenny webkit package has an insurmountable number of security
> > > vulnerabilities [0].  The version included there was of an experimental
> > > nature, and the only front end available is the builtin GtkLauncher
> > > app, which isn't very functional itself and is likely used by no one.
> > > There are no reverse dependencies.
> > > 
> > > Please remove the package for the upcoming lenny point release.  I've
> > > brought this up with the security team and webkit maintainers [1],[2],
> > > and there has so far been no objection.  However, I also didn't get
> > > any responses either way.  You may want to try to touch base with
> > > either/both teams directly.
> > > 
> > > I think removal is the only supportable course of action.
> > 
> > The secure-testing list is inappropriate to ask the security team about a
> > package in Lenny.  Please use the appropriate contact and get them to reply.
> 
> I was more concerned about getting feedback from the webkit
> developers.  I've already talked to Moritz Muehlenhoff from the
> security team about this directly.

That is correct.

> > Some CVEs are listed as "minor issue - no DSA", so it wouldn't be valid
> > to remove it for that.  
> 
> Perhaps 10 of the 50 or so issues are no-dsa.  I think it's valid to
> remove it due to the 40 other issues.
> 
> > (Sadly it seems that there's no overview to list
> > a package's vulnerabilities in Lenny at a glance?)
> 
> No, there currently isn't a straightfoward way to do that.  However,
> you could look at the stable overall page and count the number of
> webkit issues there.
> 
> However, it seems a direct removal isn't so straightforward since there
> are two reverse dependencies: mono-tools-gui and
> claws-mail-extra-plugins. Note that the popcon counts are low for
> those: 131 [1] and 258 [2] respectively.  Perhaps it would be ok to
> remove them as well?

We would need to check how these packages use webkit, maybe they can be
adapted.

> Or perhaps instead there could be an end-of-life security announcement?

Removal seems cleaner to me in general. An EOL announcement is necessary
anyway.

The much more important question is how we prevent the same situation
for Squeeze. Webkit has a lot more rdeps there. I'm adding
debian-release to the CC list.

The following packages contain webkit or have a webkit heritage:

chromium: That's a leaf package and Guiseppe will be updating it
with point releases and backport later on (like Xulrunner). No
problems here. Except maybe that it needs a co-maintainer.

kdelibs/kdelibs4: Only few webkit issues also affect khtml, since the 
code bases have forked away from each other quite some time ago and
webkit has seen lots of changes and rewrites.
My proposal: We'll fix everything for which a KDE advisory is issued,
but won't be able to investigate each webkit issue whether it affects
khtml. khtml upstream doesn't do so either. We should document this in
README.Debian. The KDE 3 version already has a README file stating
that security support is very limited.

qt4: It embeds a webkit copy, but does any application in the archive
use it? It seems as if Nokia doesn't systematically track security
issues either. If the webkit version embedded is the same as the
webkit version in Debian it might be straightforward to carry the
patches over. The alternative: Mark QT4 as unsupported security-wise.

Webkit: Patches need to be backported, but we need more maintainers
involved and commited to backporting patches. A few people need to
step up and commit to it, otherwise it's bound to fail for Squeeze
as it failed for Lenny.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Tue, 31 Aug 2010 16:33:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 31 Aug 2010 16:33:11 GMT) Full text and rfc822 format available.

Message #33 received at 594550@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org, debian-release@lists.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Tue, 31 Aug 2010 18:31:47 +0200
[Message part 1 (text/plain, inline)]
On Tue, Aug 31, 2010 at 18:09:16 +0200, Moritz Muehlenhoff wrote:

> Removal seems cleaner to me in general. An EOL announcement is necessary
> anyway.
> 
Removals from stable are anything but clean.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Tue, 31 Aug 2010 16:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 31 Aug 2010 16:39:08 GMT) Full text and rfc822 format available.

Message #38 received at 594550@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Julien Cristau <jcristau@debian.org>, Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org, secure-testing-team@lists.alioth.debian.org, security@debian.org, debian-release@lists.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Tue, 31 Aug 2010 18:35:34 +0200
On Tue, Aug 31, 2010 at 06:31:47PM +0200, Julien Cristau wrote:
> On Tue, Aug 31, 2010 at 18:09:16 +0200, Moritz Muehlenhoff wrote:
> 
> > Removal seems cleaner to me in general. An EOL announcement is necessary
> > anyway.
> > 
> Removals from stable are anything but clean.

It's cleaner than leaving the unsupported binaries in place and only
announcing an EOL.

Of course the cleanest solution would be to fix it. If anyone wants to pick 
up maintenance for stable-security for webkit, here's the link of unfixed
issues: http://security-tracker.debian.org/tracker/source-package/webkit

Cheers,
        Moritz





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#594550; Package release.debian.org. (Fri, 01 Oct 2010 21:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 01 Oct 2010 21:57:03 GMT) Full text and rfc822 format available.

Message #43 received at 594550@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550@bugs.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Fri, 1 Oct 2010 23:53:15 +0200
[Message part 1 (text/plain, inline)]
On Fri, Aug 27, 2010 at 00:01:37 -0400, Michael Gilbert wrote:

> The lenny webkit package has an insurmountable number of security
> vulnerabilities [0].  The version included there was of an experimental
> nature, and the only front end available is the builtin GtkLauncher
> app, which isn't very functional itself and is likely used by no one.
> There are no reverse dependencies.
> 
> Please remove the package for the upcoming lenny point release.  I've
> brought this up with the security team and webkit maintainers [1],[2],
> and there has so far been no objection.  However, I also didn't get
> any responses either way.  You may want to try to touch base with
> either/both teams directly.
> 
> I think removal is the only supportable course of action.
> 
Talking to Mirco Bauer, maintainer of the only webkit rev-dep in lenny,
a few days ago:

15:55:34 < meebey> the reason mono-tools was granted to use webkit is
that mono-tools use a sane and defined subset of HTML for rendering
documentation files
15:55:38 < meebey> which are only offline available
[...]
15:57:30 < meebey> it can't display any content found on HTTP servers
15:57:33 < meebey> only local files
15:58:02 < meebey> and it only renders special compiled (using monodoc)
files, not even simple HTML files
15:58:14 < meebey> that was the only reason it was granted to be shipped
in lenny
15:58:28 < meebey> while everything else had to disable webkit usage

I don't think removal makes sense, as no browser in lenny uses webkit,
and if it's only used to display trusted content then I don't think the
issues are so severe.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Tue, 02 Nov 2010 13:57:09 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Tue, 02 Nov 2010 13:57:09 GMT) Full text and rfc822 format available.

Message #48 received at 594550-done@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 594550-done@bugs.debian.org
Subject: Re: Bug#594550: RM: webkit/1.0.1-4+lenny2
Date: Tue, 2 Nov 2010 14:54:10 +0100
[Message part 1 (text/plain, inline)]
On Fri, Aug 27, 2010 at 00:01:37 -0400, Michael Gilbert wrote:

> I think removal is the only supportable course of action.
> 
Seems that this is not happening.  Closing the bug.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Dec 2010 07:33:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 02:33:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.