[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029206: [pre-approval] unblock: webkit2gtk 2.40.0-2

Control: tags -1 moreinfo

Hi Jeremy, Security team

On 2023-01-19 12:02:38 -0500, Jeremy Bicha wrote:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock transition moreinfo
> Tags: security
> X-Debbugs-CC: webkit2gtk@packages.debian.org
> 
> I am filing this bug early so that the Release Team is aware early.
> 
> [ Reason ]
> webkit2gtk only provides security support for one stable series at a
> time. A new series is released each March and September. The Debian
> Security Team backports these new release as security updates [1] [2]
> 
> The upcoming 2.40.0 is more disruptive than usual as it makes a major
> API break for the new GTK4 library, bumping the API series from 5 to 6
> [3]. This causes a small transition: gnome-builder 43 and
> gnome-initial-setup 43 are the only two packages that use the gtk4
> library. They will both need sourceful uploads. Patches will be ready
> for both since the upstream webkitgtk team works closely with the
> GNOME project.
> 
> [ Impact ]
> Because the 2.38 series will be End of Life before Debian 12 is
> released, I believe the Security Team wants 2.40 to make it to Testing

Security team, what's your take on this?

> [ Tests ]
> There are no automated tests (!)
> The person who uploads gnome-builder and gnome-initial-setup (likely
> me) will make sure those 2 apps still run well with the new webkit2gtk
> version.
> 
> [ Risks ]
> The code changes in a new major webkit2gtk release are too large to
> manually review.
> webkit2gtk is a key package.
> Besides gnome-builder and gnome-initial-setup, webkit2gtk is used by
> many packages. [4]
> 
> [ Checklist ]
>   [ ] all changes are documented in the d/changelog
>   [ ] I reviewed all changes and I approve them
>   [ ] attach debdiff against the package in testing
> 
> [ Other Info ]
> webkit2gtk generally follows the GNOME release schedule. [5] A beta
> (2.39.90) is expected in February. A release candidate (2.39.91)
> around March 6, and the first stable release (2.40.0) around March 20.
> We intend to do a test build in experimental first. I think it makes
> the most sense to wait for the 2.40.0 release and not push a prelease
> to Unstable/Testing.
> 
> Ubuntu 23.04 will also switch to the 2.40 series by February or early
> March. Ubuntu 22.10 will need to do this transition as stable release
> updates.
> 
> I don't have a ben file since the final soname isn't known yet.

As soon as the new SONAME is known, an upload to experimental would be
appreciated to go through NEW. Please let us know once it's available in
experimental and the test builds have been performed.

Cheers

> 
> [1]
> https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#limited-security-support
> 
> [2] https://tracker.debian.org/pkg/webkit2gtk
> 
> [3] https://discourse.gnome.org/t/webkitgtk-for-gtk-4-status-update-and-api-changes/11033
> 
> [4] https://release.debian.org/transitions/html/webkit2gtk-4.0.html
> 
> [5] https://wiki.gnome.org/FortyFour
> 
> Thank you,
> Jeremy Bicha
> 

-- 
Sebastian Ramacher
Reply to: