Bug 29326 - QtWebkit and dependencies (like wkhtmltopdf) should be dropped
Summary: QtWebkit and dependencies (like wkhtmltopdf) should be dropped
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker major
Target Milestone: Mageia 9
Assignee: KDE maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 30163 31023
  Show dependency treegraph
 
Reported: 2021-08-04 19:50 CEST by David Walser
Modified: 2023-03-23 09:48 CET (History)
2 users (show)

See Also:
Source RPM: qtwebkit-2.3.4-15.mga8.src.rpm, qtwebkit5-5.212.0-1.alpha4.8.mga9.src.rpm, qtwebkit5-examples-and-demos-5.9.0-5.mga8.src.rpm, wkhtmltopdf-0.12.5-4.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-04 19:50:08 CEST 
As this oss-security post reminds us, QtWebkit is unmaintained and full of known security vulnerabilities:
https://www.openwall.com/lists/oss-security/2021/08/04/1

They mention that wkhtmltopdf is particularly problematic, and that it has alternatives (such as weasyprint and puppeteer) available.

We should drop and/or replace all of this stuff before Mageia 9.
David Walser 2021-08-04 19:50:22 CEST

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

David Walser 2022-10-25 14:53:07 CEST

Blocks: (none) => 30163

David Walser 2022-10-25 14:54:50 CEST

Blocks: (none) => 31023

Comment 1 papoteur 2023-03-21 09:14:37 CET 
I had a run on this topic.
What is done:
freecad: commuted to qtWebEngine
goldendict: Use a fork which don't use QtWebkit
kmymoney: Commuted to qtWebEngine
kvirc	: rebuild with disabling qtwebkit
mythtv-frontend : disabling browser
notepadqq commuted to qtWebEngine
zeal updated to no more use qtwebkit

CC: (none) => yves.brungard_mageia

Comment 2 papoteur 2023-03-21 09:23:00 CET 
I found that these packages have to be obsoleted:
cutemarked: not updated since 2016
quiterss	: no plan for migration https://github.com/QuiteRSS/quiterss/issues/1470
Tomahawk-player : not updated since 2020, website is down, no fork found.
scudcloud: no maintenance
libvkontakte:  : no more maintained and marked as such: https://invent.kde.org/libraries/libkvkontakte
kdewebkit:  nothing requires it, can be withdrawn
Comment 3 papoteur 2023-03-21 09:34:37 CET 
qgis is also rebuild with qtwebkit off.
Comment 4 David GEIGER 2023-03-21 18:47:55 CET 
I just asked neoclust to drop libvkontakte as now any srpms needed it anymore.

skrooge is also fixed using now QtWebengine.

But I think we can't drop QtWebkit5 for now as some packages are not yet ported to QtWebengine5
And for now any distributions removed it completely from their repo.

CC: (none) => geiger.david68210

Comment 5 David Walser 2023-03-21 19:30:10 CET 
Anything that hasn't been ported is probably unmaintained at this point, so we should drop them.  Keep in mind that the packages can be reintroduced if they are revived upstream and ported later.  So I would suggest not leaving these applications in task-obsolete.
Comment 6 papoteur 2023-03-22 15:40:29 CET 
Subsurface is rebuilt without webkit, thus without printing support.

Still works in progress:

openboard:  There is a 1.7dev in which webkit will be removed, but this branch is not yet released
python3-qt5-webkit: it has a Requires, should be removed
signon-ui : version from 2013, and no updates since 2017. But it is required by:	kaccounts-integration
	signon-plugin-oauth2
	kio-gdrive
	lib64kaccounts2
	telepathy-kde-common-internals-core

smtube : Work in progress https://github.com/smplayer-dev/smtube/pull/21
Trojita : there is a branch, but it is not ready https://invent.kde.org/pim/trojita/-/merge_requests/1
Comment 7 David GEIGER 2023-03-22 17:12:20 CET 
signon-ui fixed yesterday in Cauldron with  signon-ui-0.15-7.git20171022.1.mga9!
Comment 8 David GEIGER 2023-03-22 17:13:23 CET 
libvkontakte now removed!
Comment 9 David GEIGER 2023-03-22 17:15:13 CET 
gambas3 is in progress, once new version moved to Core/Release I'll drop qtwebkit support!
Comment 10 papoteur 2023-03-23 09:48:49 CET 
I moved to obsolete:

cutemarked
quiterss
tomahawk-player
scudcloud
Note You need to log in before you can comment on or make changes to this bug.