No edit summary |
Genodeftest (talk | contribs) (→Scope: Update for F35) |
||
(15 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
== Summary == | == Summary == | ||
Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs | Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs, many of them being remote code execution bugs. It's time to remove qtwebkit from the distribution. See also [https://bugzilla.redhat.com/show_bug.cgi?id=1711519 #1711519] which has been open without action for years. | ||
Qtwebkit is one of the few packages which still needs python2 to build. | |||
== Owner == | == Owner == | ||
Line 17: | Line 19: | ||
[[Category:SystemWideChange]] | [[Category:SystemWideChange]] | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/37 | Fedora 37]] | ||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
* FESCo issue: <will be assigned by the Wrangler> | * FESCo issue: <will be assigned by the Wrangler> | ||
Line 27: | Line 29: | ||
Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them: | Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them: | ||
* amarok-0:2.9.0- | * amarok-0:2.9.0-12.fc35.x86_64 | ||
=> Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok) | => Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok) or retire | ||
* arora-0:0.11.0- | * arora-0:0.11.0-25.fc35.x86_64 | ||
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package. | => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package. | ||
* brewtarget-0:2.1.0- | * brewtarget-0:2.1.0-18.fc35.x86_64 | ||
=> Upgrade to 2.3.0 release which supports Qt5 | => Upgrade to 2.3.0 release which supports Qt5 | ||
* gambas3-gb-qt4-webkit-0:3. | * gambas3-gb-qt4-webkit-0:3.16.2-3.fc35.x86_64, gambas3-gb-qt4-webview-0:3.16.2-3.fc35.x86_64 | ||
=> Drop subpackages | |||
* kde-runtime-libs-0:17.08.3-24.fc35.x86_64 | |||
=> Can be compiled without kdelibs-webkit support | |||
* kdelibs-6:4.14.38-28.fc35.x86_64, kdelibs-webkit-6:4.14.38-28.fc35.x86_64 | |||
=> Drop subpackage | => Drop subpackage | ||
* | * knode-libs-0:4.14.10-47.fc35.x86_64 | ||
=> | => Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. As upstream is dead, removing it would be another option. In this case it would be good to obsolete it from quiterss. | ||
* | * krecipes-0:2.1.0-14.fc35.x86_64 | ||
=> | => Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped. See [https://bugzilla.redhat.com/show_bug.cgi?id=1711519#c12]. | ||
* | * python3-PyQt4-webkit-0:4.12.3-17.fc35.x86_64 | ||
=> Leaf, retire. FTBFS: https://bugzilla.redhat.com/show_bug.cgi?id=2045171 https://bugzilla.redhat.com/show_bug.cgi?id=2038921 | |||
* qmc2-0:0.195-19.fc35.x86_64 | |||
=> Latest trunk supports Qt5, has landed in rawhide for Fedora 37 already | |||
* qt-assistant-1:4.8.7-65.fc35.x86_64 | |||
=> Build against QTextBrowser instead, which is supported as a fallback. This will degrade rendering quality, but it is better than dropping the package entirely. | |||
* qt-demos-1:4.8.7-65.fc35.x86_64 | |||
=> Drop the demos that depend on QtWebKit (or the entire subpackage) | |||
* qt-designer-plugin-webkit-1:4.8.7-65.fc35.x86_64 | |||
=> Drop subpackage | => Drop subpackage | ||
* | * qt-examples-1:4.8.7-65.fc35.x86_64 | ||
=> | => Drop the examples that depend on QtWebKit (or the entire subpackage) | ||
* | * qt4pas-0:2.5-23.fc35.x86_64 | ||
=> Leaf, retire | => Leaf, retire | ||
* qtscriptbindings-0:0.2.0-25.fc35.x86_64 | |||
* qtscriptbindings-0:0.2.0- | |||
=> Part of qtscriptgenerator, Only required by amarok. Retire. | => Part of qtscriptgenerator, Only required by amarok. Retire. | ||
* rekonq-0:2.4.2- | * rekonq-0:2.4.2-19.fc35.x86_64 | ||
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package. | => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package. | ||
== Feedback == | == Feedback == | ||
Line 82: | Line 74: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
The following packages will be updated: | ** The following packages will be updated: | ||
* amarok: latest git | *** amarok: latest git | ||
* brewtarget: 2.3.0 | *** brewtarget: 2.3.0 | ||
* qmc2: latest trunk | *** qmc2: latest trunk | ||
** The following packages will be modified to disable QtWebKit support: | |||
The following packages will be | *** kde-runtime-libs | ||
* | *** kdepim4 (knode-libs) | ||
* kdepim4 | *** krecipes | ||
* krecipes | *** qt-assistant | ||
* | *** qt-demos | ||
* | *** qt-examples | ||
* | ** The following packages will be retired: | ||
* qt4pas | *** arora | ||
* qtscriptgenerator | *** qt4pas | ||
* rekonq | *** qtscriptgenerator (qtscriptbindings) | ||
* | *** rekonq | ||
** The following subpackages will be removed, and obsoleted by the corresponding main package: | |||
The following subpackages will be removed, and | *** gambas3-gb-qt4-webkit | ||
* gambas3-gb-qt4-webkit | *** kdelibs-webkit | ||
* kdelibs-webkit | *** qt-designer-plugin-webkit | ||
* | |||
* | |||
* qt-designer-plugin-webkit | |||
* Other developers: | * Other developers: | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
** Maintainers of the packages mentioned above may need to work on their packages. | |||
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) | * Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) | ||
* Policies and guidelines: | * Policies and guidelines: | ||
No policy or guidelines updates necessary. | ** No policy or guidelines updates necessary. | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Line 132: | Line 120: | ||
== Release Notes == | == Release Notes == | ||
Fedora | Fedora 37 will drop the unmaintained and insecure qtwebkit package. |
Latest revision as of 18:26, 14 April 2022
Qtwebkit removal
Summary
Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs, many of them being remote code execution bugs. It's time to remove qtwebkit from the distribution. See also #1711519 which has been open without action for years.
Qtwebkit is one of the few packages which still needs python2 to build.
Owner
- Name: Sandro Mani
- Email: manisandro@gmail.com
Current status
- Targeted release: Fedora 37
- Last updated: 2022-04-14
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:
- amarok-0:2.9.0-12.fc35.x86_64
=> Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok) or retire
- arora-0:0.11.0-25.fc35.x86_64
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
- brewtarget-0:2.1.0-18.fc35.x86_64
=> Upgrade to 2.3.0 release which supports Qt5
- gambas3-gb-qt4-webkit-0:3.16.2-3.fc35.x86_64, gambas3-gb-qt4-webview-0:3.16.2-3.fc35.x86_64
=> Drop subpackages
- kde-runtime-libs-0:17.08.3-24.fc35.x86_64
=> Can be compiled without kdelibs-webkit support
- kdelibs-6:4.14.38-28.fc35.x86_64, kdelibs-webkit-6:4.14.38-28.fc35.x86_64
=> Drop subpackage
- knode-libs-0:4.14.10-47.fc35.x86_64
=> Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. As upstream is dead, removing it would be another option. In this case it would be good to obsolete it from quiterss.
- krecipes-0:2.1.0-14.fc35.x86_64
=> Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped. See [1].
- python3-PyQt4-webkit-0:4.12.3-17.fc35.x86_64
=> Leaf, retire. FTBFS: https://bugzilla.redhat.com/show_bug.cgi?id=2045171 https://bugzilla.redhat.com/show_bug.cgi?id=2038921
- qmc2-0:0.195-19.fc35.x86_64
=> Latest trunk supports Qt5, has landed in rawhide for Fedora 37 already
- qt-assistant-1:4.8.7-65.fc35.x86_64
=> Build against QTextBrowser instead, which is supported as a fallback. This will degrade rendering quality, but it is better than dropping the package entirely.
- qt-demos-1:4.8.7-65.fc35.x86_64
=> Drop the demos that depend on QtWebKit (or the entire subpackage)
- qt-designer-plugin-webkit-1:4.8.7-65.fc35.x86_64
=> Drop subpackage
- qt-examples-1:4.8.7-65.fc35.x86_64
=> Drop the examples that depend on QtWebKit (or the entire subpackage)
- qt4pas-0:2.5-23.fc35.x86_64
=> Leaf, retire
- qtscriptbindings-0:0.2.0-25.fc35.x86_64
=> Part of qtscriptgenerator, Only required by amarok. Retire.
- rekonq-0:2.4.2-19.fc35.x86_64
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
Feedback
Benefit to Fedora
Removal obsolete and insecure packages
Scope
- Proposal owners:
- The following packages will be updated:
- amarok: latest git
- brewtarget: 2.3.0
- qmc2: latest trunk
- The following packages will be modified to disable QtWebKit support:
- kde-runtime-libs
- kdepim4 (knode-libs)
- krecipes
- qt-assistant
- qt-demos
- qt-examples
- The following packages will be retired:
- arora
- qt4pas
- qtscriptgenerator (qtscriptbindings)
- rekonq
- The following subpackages will be removed, and obsoleted by the corresponding main package:
- gambas3-gb-qt4-webkit
- kdelibs-webkit
- qt-designer-plugin-webkit
- The following packages will be updated:
- Other developers:
- Maintainers of the packages mentioned above may need to work on their packages.
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines:
- No policy or guidelines updates necessary.
Upgrade/compatibility impact
Retired subpackages will be obsoleted by fedora-obsolete-packages. Others will remain as leafs.
How To Test
Nothing to test really, packages will just disappear.
User Experience
Some old applications will disappear.
Dependencies
See above.
Contingency Plan
None.
Release Notes
Fedora 37 will drop the unmaintained and insecure qtwebkit package.