| Summary: | QtWebkit and dependencies (like wkhtmltopdf) should be dropped | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | KDE maintainers <kde> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | release_blocker | CC: | fri, geiger.david68210, herman.viaene, mageia, yvesbrungard |
| Version: | Cauldron | Keywords: | IN_RELEASENOTES9 |
| Target Milestone: | Mageia 9 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | qtwebkit-2.3.4-15.mga8.src.rpm, qtwebkit5-5.212.0-1.alpha4.8.mga9.src.rpm, qtwebkit5-examples-and-demos-5.9.0-5.mga8.src.rpm, wkhtmltopdf-0.12.5-4.mga8.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 30163, 31023 | ||
|
Description
David Walser
2021-08-04 19:50:08 CEST
David Walser
2021-08-04 19:50:22 CEST
Priority:
Normal =>
release_blocker
David Walser
2022-10-25 14:53:07 CEST
Blocks:
(none) =>
30163
David Walser
2022-10-25 14:54:50 CEST
Blocks:
(none) =>
31023 I had a run on this topic. What is done: freecad: commuted to qtWebEngine goldendict: Use a fork which don't use QtWebkit kmymoney: Commuted to qtWebEngine kvirc : rebuild with disabling qtwebkit mythtv-frontend : disabling browser notepadqq commuted to qtWebEngine zeal updated to no more use qtwebkit CC:
(none) =>
yves.brungard_mageia I found that these packages have to be obsoleted: cutemarked: not updated since 2016 quiterss : no plan for migration https://github.com/QuiteRSS/quiterss/issues/1470 Tomahawk-player : not updated since 2020, website is down, no fork found. scudcloud: no maintenance libvkontakte: : no more maintained and marked as such: https://invent.kde.org/libraries/libkvkontakte kdewebkit: nothing requires it, can be withdrawn qgis is also rebuild with qtwebkit off. I just asked neoclust to drop libvkontakte as now any srpms needed it anymore. skrooge is also fixed using now QtWebengine. But I think we can't drop QtWebkit5 for now as some packages are not yet ported to QtWebengine5 And for now any distributions removed it completely from their repo. CC:
(none) =>
geiger.david68210 Anything that hasn't been ported is probably unmaintained at this point, so we should drop them. Keep in mind that the packages can be reintroduced if they are revived upstream and ported later. So I would suggest not leaving these applications in task-obsolete. Subsurface is rebuilt without webkit, thus without printing support. Still works in progress: openboard: There is a 1.7dev in which webkit will be removed, but this branch is not yet released python3-qt5-webkit: it has a Requires, should be removed signon-ui : version from 2013, and no updates since 2017. But it is required by: kaccounts-integration signon-plugin-oauth2 kio-gdrive lib64kaccounts2 telepathy-kde-common-internals-core smtube : Work in progress https://github.com/smplayer-dev/smtube/pull/21 Trojita : there is a branch, but it is not ready https://invent.kde.org/pim/trojita/-/merge_requests/1 signon-ui fixed yesterday in Cauldron with signon-ui-0.15-7.git20171022.1.mga9! libvkontakte now removed! gambas3 is in progress, once new version moved to Core/Release I'll drop qtwebkit support! I moved to obsolete: cutemarked quiterss tomahawk-player scudcloud So for now it is pretty good: $ urpmq --whatrequires-recursive lib64qt5webkit5 lib64qt5webkit5 lib64qt5webkitwidgets5 qtwebkit5 smtube trojita $ urpmq --whatrequires-recursive lib64qt5webkitwidgets5 lib64qt5webkitwidgets5 qtwebkit5 smtube trojita yes pretty good, only 2 remaining packages: smtube trojita CC:
(none) =>
mageia smtube and trojita are now withdrawn. task-lxqt is modified to not recommend trojita. all is removed Status:
NEW =>
RESOLVED Note in end of Rel notes that QtWebkit is removed CC:
(none) =>
fri Entered in https://wiki.mageia.org/en/Mageia_9_Release_Notes#Packages_removed_from_the_distribution The packages in Comment 12 was in "Without removal on upgrade", so i added QtWebkit there too. The packages in comment 10 is said to be moved to obsolete, i guess that means they are removed on upgrade, so i put them there. Please correct if wrong! And generally i think someone who knows the ways should fill in other packages we removed in mga9 - i guess they are more. Keywords:
FOR_RELEASENOTES9 =>
IN_RELEASENOTES9 In line with nrpe in Bug 26957 and packags in this bug comment 12, IMO the packages in comment 10: cutemarked quiterss tomahawk-player scudcloud Should not be removed at upgrade. Resolution:
FIXED =>
(none) They are not in task-obsolete so why reopened? He probably just assumed without checking. Status:
REOPENED =>
RESOLVED Yes sorry, just assumed. First i asked in comment 16 I have to learn what is meant by "moved to obsolete", comment 16. Now corrected https://wiki.mageia.org/en/Mageia_9_Release_Notes#Packages_removed_from_the_distribution Teamviewer depends on lib64qt5webkit5 and lib64qt5webkitwidgets5 CC:
(none) =>
herman.viaene Teamviewer is not available in any Mageia repository. Contact the Teamviewer devs and inform them that they rely on an unmaintained and unsecure package. Status:
REOPENED =>
RESOLVED |