Bug 29326 - QtWebkit and dependencies (like wkhtmltopdf) should be dropped
Summary: QtWebkit and dependencies (like wkhtmltopdf) should be dropped
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker major
Target Milestone: Mageia 9
Assignee: KDE maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords: IN_RELEASENOTES9
Depends on:
Blocks: 30163 31023
  Show dependency treegraph
 
Reported: 2021-08-04 19:50 CEST by David Walser
Modified: 2023-10-14 10:50 CEST (History)
5 users (show)

See Also:
Source RPM: qtwebkit-2.3.4-15.mga8.src.rpm, qtwebkit5-5.212.0-1.alpha4.8.mga9.src.rpm, qtwebkit5-examples-and-demos-5.9.0-5.mga8.src.rpm, wkhtmltopdf-0.12.5-4.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-04 19:50:08 CEST 
As this oss-security post reminds us, QtWebkit is unmaintained and full of known security vulnerabilities:
https://www.openwall.com/lists/oss-security/2021/08/04/1

They mention that wkhtmltopdf is particularly problematic, and that it has alternatives (such as weasyprint and puppeteer) available.

We should drop and/or replace all of this stuff before Mageia 9.
David Walser 2021-08-04 19:50:22 CEST

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

David Walser 2022-10-25 14:53:07 CEST

Blocks: (none) => 30163

David Walser 2022-10-25 14:54:50 CEST

Blocks: (none) => 31023

Comment 1 papoteur 2023-03-21 09:14:37 CET 
I had a run on this topic.
What is done:
freecad: commuted to qtWebEngine
goldendict: Use a fork which don't use QtWebkit
kmymoney: Commuted to qtWebEngine
kvirc	: rebuild with disabling qtwebkit
mythtv-frontend : disabling browser
notepadqq commuted to qtWebEngine
zeal updated to no more use qtwebkit

CC: (none) => yves.brungard_mageia

Comment 2 papoteur 2023-03-21 09:23:00 CET 
I found that these packages have to be obsoleted:
cutemarked: not updated since 2016
quiterss	: no plan for migration https://github.com/QuiteRSS/quiterss/issues/1470
Tomahawk-player : not updated since 2020, website is down, no fork found.
scudcloud: no maintenance
libvkontakte:  : no more maintained and marked as such: https://invent.kde.org/libraries/libkvkontakte
kdewebkit:  nothing requires it, can be withdrawn
Comment 3 papoteur 2023-03-21 09:34:37 CET 
qgis is also rebuild with qtwebkit off.
Comment 4 David GEIGER 2023-03-21 18:47:55 CET 
I just asked neoclust to drop libvkontakte as now any srpms needed it anymore.

skrooge is also fixed using now QtWebengine.

But I think we can't drop QtWebkit5 for now as some packages are not yet ported to QtWebengine5
And for now any distributions removed it completely from their repo.

CC: (none) => geiger.david68210

Comment 5 David Walser 2023-03-21 19:30:10 CET 
Anything that hasn't been ported is probably unmaintained at this point, so we should drop them.  Keep in mind that the packages can be reintroduced if they are revived upstream and ported later.  So I would suggest not leaving these applications in task-obsolete.
Comment 6 papoteur 2023-03-22 15:40:29 CET 
Subsurface is rebuilt without webkit, thus without printing support.

Still works in progress:

openboard:  There is a 1.7dev in which webkit will be removed, but this branch is not yet released
python3-qt5-webkit: it has a Requires, should be removed
signon-ui : version from 2013, and no updates since 2017. But it is required by:	kaccounts-integration
	signon-plugin-oauth2
	kio-gdrive
	lib64kaccounts2
	telepathy-kde-common-internals-core

smtube : Work in progress https://github.com/smplayer-dev/smtube/pull/21
Trojita : there is a branch, but it is not ready https://invent.kde.org/pim/trojita/-/merge_requests/1
Comment 7 David GEIGER 2023-03-22 17:12:20 CET 
signon-ui fixed yesterday in Cauldron with  signon-ui-0.15-7.git20171022.1.mga9!
Comment 8 David GEIGER 2023-03-22 17:13:23 CET 
libvkontakte now removed!
Comment 9 David GEIGER 2023-03-22 17:15:13 CET 
gambas3 is in progress, once new version moved to Core/Release I'll drop qtwebkit support!
Comment 10 papoteur 2023-03-23 09:48:49 CET 
I moved to obsolete:

cutemarked
quiterss
tomahawk-player
scudcloud
Comment 11 David GEIGER 2023-03-31 09:44:36 CEST 
So for now it is pretty good:

$ urpmq --whatrequires-recursive lib64qt5webkit5
lib64qt5webkit5
lib64qt5webkitwidgets5
qtwebkit5
smtube
trojita

$ urpmq --whatrequires-recursive lib64qt5webkitwidgets5
lib64qt5webkitwidgets5
qtwebkit5
smtube
trojita
Comment 12 Nicolas Lécureuil 2023-06-06 11:16:50 CEST 
yes pretty good, only 2 remaining packages:

smtube
trojita

CC: (none) => mageia

Comment 13 papoteur 2023-06-07 08:19:31 CEST 
smtube and trojita are now withdrawn.
task-lxqt is modified to not recommend trojita.
Comment 14 Nicolas Lécureuil 2023-06-07 10:34:20 CEST 
all is removed

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 Morgan Leijström 2023-06-07 11:54:54 CEST 
Note in end of Rel notes that QtWebkit is removed

CC: (none) => fri
Keywords: (none) => FOR_RELEASENOTES9

Comment 16 Morgan Leijström 2023-06-21 12:55:33 CEST 
Entered in
https://wiki.mageia.org/en/Mageia_9_Release_Notes#Packages_removed_from_the_distribution

The packages in Comment 12 was in "Without removal on upgrade", so i added QtWebkit there too.

The packages in comment 10 is said to be moved to obsolete, i guess that means they are removed on upgrade, so i put them there.

Please correct if wrong!


And generally i think someone who knows the ways should fill in other packages we removed in mga9 - i guess they are more.

Keywords: FOR_RELEASENOTES9 => IN_RELEASENOTES9

Comment 17 Morgan Leijström 2023-06-23 09:50:24 CEST 
In line with nrpe in Bug 26957 and packags in this bug comment 12, IMO the packages in comment 10:
 cutemarked
 quiterss
 tomahawk-player
 scudcloud
Should not be removed at upgrade.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 18 David GEIGER 2023-06-24 13:25:26 CEST 
They are not in task-obsolete so why reopened?
Comment 19 David Walser 2023-06-24 15:15:44 CEST 
He probably just assumed without checking.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 20 Morgan Leijström 2023-06-24 19:13:12 CEST 
Yes sorry, just assumed.
First i asked in comment 16
I have to learn what is meant by "moved to obsolete", comment 16.

Now corrected
https://wiki.mageia.org/en/Mageia_9_Release_Notes#Packages_removed_from_the_distribution
Comment 21 Herman Viaene 2023-10-14 09:14:50 CEST 
Teamviewer depends on lib64qt5webkit5 and lib64qt5webkitwidgets5

CC: (none) => herman.viaene
Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 22 sturmvogel 2023-10-14 10:50:28 CEST 
Teamviewer is not available in any Mageia repository. Contact the Teamviewer devs and inform them that they rely on an unmaintained and unsecure package.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.