From Fedora Project Wiki
No edit summary
(→‎Scope: Update for F35)
 
(15 intermediate revisions by 2 users not shown)
Line 2: Line 2:


== Summary ==
== Summary ==
Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs. Also, it requires qt-location, which does not build against current proj versions. It's time to remove qtwebkit from the distribution. See also [https://bugzilla.redhat.com/show_bug.cgi?id=1711519 #1711519]
Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs, many of them being remote code execution bugs. It's time to remove qtwebkit from the distribution. See also [https://bugzilla.redhat.com/show_bug.cgi?id=1711519 #1711519] which has been open without action for years.
 
Qtwebkit is one of the few packages which still needs python2 to build.


== Owner ==
== Owner ==
Line 17: Line 19:
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [[Releases/34 | Fedora 34 ]]  
* Targeted release: [[Releases/37 | Fedora 37]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: <will be assigned by the Wrangler>
Line 27: Line 29:
Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:
Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:


* amarok-0:2.9.0-9.fc33.x86_64
* amarok-0:2.9.0-12.fc35.x86_64
   => Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok)
   => Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok) or retire
* arora-0:0.11.0-23.fc33.x86_64
* arora-0:0.11.0-25.fc35.x86_64
   => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
   => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
* brewtarget-0:2.1.0-16.fc33.x86_64
* brewtarget-0:2.1.0-18.fc35.x86_64
   => Upgrade to 2.3.0 release which supports Qt5  
   => Upgrade to 2.3.0 release which supports Qt5  
* gambas3-gb-qt4-webkit-0:3.15.2-1.fc34.x86_64
* gambas3-gb-qt4-webkit-0:3.16.2-3.fc35.x86_64, gambas3-gb-qt4-webview-0:3.16.2-3.fc35.x86_64
  => Drop subpackages
* kde-runtime-libs-0:17.08.3-24.fc35.x86_64
  => Can be compiled without kdelibs-webkit support
* kdelibs-6:4.14.38-28.fc35.x86_64, kdelibs-webkit-6:4.14.38-28.fc35.x86_64
   => Drop subpackage
   => Drop subpackage
* kde-runtime-libs-0:17.08.3-15.fc33.x86_64
* knode-libs-0:4.14.10-47.fc35.x86_64
   => Can be compiled without kdelibs-webkit support
  => Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. As upstream is dead, removing it would be another option. In this case it would be good to obsolete it from quiterss.
* kde-workspace
* krecipes-0:2.1.0-14.fc35.x86_64
   => Can be patched to compile without kdelibs-webkit support, it has been done by RHEL.
   => Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped. See [https://bugzilla.redhat.com/show_bug.cgi?id=1711519#c12].
* kdelibs-webkit-6:4.14.38-23.fc34.x86_64
* python3-PyQt4-webkit-0:4.12.3-17.fc35.x86_64
  => Leaf, retire. FTBFS: https://bugzilla.redhat.com/show_bug.cgi?id=2045171 https://bugzilla.redhat.com/show_bug.cgi?id=2038921
* qmc2-0:0.195-19.fc35.x86_64
   => Latest trunk supports Qt5, has landed in rawhide for Fedora 37 already
* qt-assistant-1:4.8.7-65.fc35.x86_64
  => Build against QTextBrowser instead, which is supported as a fallback. This will degrade rendering quality, but it is better than dropping the package entirely.
* qt-demos-1:4.8.7-65.fc35.x86_64
  => Drop the demos that depend on QtWebKit (or the entire subpackage)
* qt-designer-plugin-webkit-1:4.8.7-65.fc35.x86_64
   => Drop subpackage
   => Drop subpackage
* knode-libs-0:4.14.10-44.fc33.x86_64
* qt-examples-1:4.8.7-65.fc35.x86_64
   => Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. Retiring kdepim4 is not an option because there is no replacement for KNode.
   => Drop the examples that depend on QtWebKit (or the entire subpackage)
* krecipes-0:2.1.0-12.fc33.x86_64
* qt4pas-0:2.5-23.fc35.x86_64
  => Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped, so we should not retire this package. See [https://bugzilla.redhat.com/show_bug.cgi?id=1711519#c12].
* ksysguard-libs-1:4.11.22-28.fc33.x86_64
  => Part of kde-workspace, see below.
* libkfbapi-0:1.0-16.fc32.x86_64
   => Leaf, retire
   => Leaf, retire
* python3-PyQt4-webkit-0:4.12.3-13.fc33.x86_64
* qtscriptbindings-0:0.2.0-25.fc35.x86_64
  => Leaf, retire
* qlandkartegt-0:1.8.1-28.fc33.x86_64
  => Retire
* qmc2-0:0.195-14.fc34.x86_64
  => Latest trunk supports Qt5
* qt-assistant-1:4.8.7-57.fc34.x86_64
  => Drop subpackae
* qt-demos-1:4.8.7-57.fc34.x86_64
  => Drop subpackae
* qt-designer-plugin-webkit-1:4.8.7-57.fc34.x86_64
  => Drop subpackae
* qt-examples-1:4.8.7-57.fc34.x86_64
  => Drop subpackae
* qt4pas-0:2.5-21.fc33.x86_64
  => Leaf, retire
* qtscriptbindings-0:0.2.0-23.fc33.x86_64
   => Part of qtscriptgenerator, Only required by amarok. Retire.
   => Part of qtscriptgenerator, Only required by amarok. Retire.
* rekonq-0:2.4.2-17.fc33.x86_64
* rekonq-0:2.4.2-19.fc35.x86_64
   => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
   => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
* timetablemate-0:0.10-0.24.20111204git.fc32.x86_64
  => Plasma 5 applet, last activity in 2013. Retire.


== Feedback ==
== Feedback ==
Line 82: Line 74:
== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
The following packages will be updated:
** The following packages will be updated:
* amarok: latest git
*** amarok: latest git
* brewtarget: 2.3.0
*** brewtarget: 2.3.0
* qmc2: latest trunk
*** qmc2: latest trunk
 
** The following packages will be modified to disable QtWebKit support:
The following packages will be retired:
*** kde-runtime-libs
* arora
*** kdepim4 (knode-libs)
* kdepim4
*** krecipes
* krecipes
*** qt-assistant
* kwooty
*** qt-demos
* libkfbapi
*** qt-examples
* qlandkartegt
** The following packages will be retired:
* qt4pas
*** arora
* qtscriptgenerator
*** qt4pas
* rekonq
*** qtscriptgenerator (qtscriptbindings)
* timetablemate
*** rekonq
 
** The following subpackages will be removed, and obsoleted by the corresponding main package:
The following subpackages will be removed, and added to fedora-obsolete-packages:
*** gambas3-gb-qt4-webkit
* gambas3-gb-qt4-webkit
*** kdelibs-webkit
* kdelibs-webkit
*** qt-designer-plugin-webkit
* qt-assistant
* qt-demos
* qt-designer-plugin-webkit
* qt-examples


* Other developers:
* Other developers:
No work should be needed from other developers.
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** Maintainers of the packages mentioned above may need to work on their packages.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed)
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed)


* Policies and guidelines:
* Policies and guidelines:
No policy or guidelines updates necessary.
** No policy or guidelines updates necessary.


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
Line 132: Line 120:


== Release Notes ==
== Release Notes ==
Fedora 34 will drop the unmaintained and insecure qtwebkit package.
Fedora 37 will drop the unmaintained and insecure qtwebkit package.

Latest revision as of 18:26, 14 April 2022

Qtwebkit removal

Summary

Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs, many of them being remote code execution bugs. It's time to remove qtwebkit from the distribution. See also #1711519 which has been open without action for years.

Qtwebkit is one of the few packages which still needs python2 to build.

Owner

Current status

  • Targeted release: Fedora 37
  • Last updated: 2022-04-14
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:

  • amarok-0:2.9.0-12.fc35.x86_64
 => Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok) or retire
  • arora-0:0.11.0-25.fc35.x86_64
 => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
  • brewtarget-0:2.1.0-18.fc35.x86_64
 => Upgrade to 2.3.0 release which supports Qt5 
  • gambas3-gb-qt4-webkit-0:3.16.2-3.fc35.x86_64, gambas3-gb-qt4-webview-0:3.16.2-3.fc35.x86_64
 => Drop subpackages
  • kde-runtime-libs-0:17.08.3-24.fc35.x86_64
 => Can be compiled without kdelibs-webkit support
  • kdelibs-6:4.14.38-28.fc35.x86_64, kdelibs-webkit-6:4.14.38-28.fc35.x86_64
 => Drop subpackage
  • knode-libs-0:4.14.10-47.fc35.x86_64
 => Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. As upstream is dead, removing it would be another option. In this case it would be good to obsolete it from quiterss.
  • krecipes-0:2.1.0-14.fc35.x86_64
 => Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped. See [1].
  • python3-PyQt4-webkit-0:4.12.3-17.fc35.x86_64
 => Leaf, retire. FTBFS: https://bugzilla.redhat.com/show_bug.cgi?id=2045171 https://bugzilla.redhat.com/show_bug.cgi?id=2038921
  • qmc2-0:0.195-19.fc35.x86_64
 => Latest trunk supports Qt5, has landed in rawhide for Fedora 37 already
  • qt-assistant-1:4.8.7-65.fc35.x86_64
 => Build against QTextBrowser instead, which is supported as a fallback. This will degrade rendering quality, but it is better than dropping the package entirely.
  • qt-demos-1:4.8.7-65.fc35.x86_64
 => Drop the demos that depend on QtWebKit (or the entire subpackage)
  • qt-designer-plugin-webkit-1:4.8.7-65.fc35.x86_64
 => Drop subpackage
  • qt-examples-1:4.8.7-65.fc35.x86_64
 => Drop the examples that depend on QtWebKit (or the entire subpackage)
  • qt4pas-0:2.5-23.fc35.x86_64
 => Leaf, retire
  • qtscriptbindings-0:0.2.0-25.fc35.x86_64
 => Part of qtscriptgenerator, Only required by amarok. Retire.
  • rekonq-0:2.4.2-19.fc35.x86_64
 => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.

Feedback

Benefit to Fedora

Removal obsolete and insecure packages

Scope

  • Proposal owners:
    • The following packages will be updated:
      • amarok: latest git
      • brewtarget: 2.3.0
      • qmc2: latest trunk
    • The following packages will be modified to disable QtWebKit support:
      • kde-runtime-libs
      • kdepim4 (knode-libs)
      • krecipes
      • qt-assistant
      • qt-demos
      • qt-examples
    • The following packages will be retired:
      • arora
      • qt4pas
      • qtscriptgenerator (qtscriptbindings)
      • rekonq
    • The following subpackages will be removed, and obsoleted by the corresponding main package:
      • gambas3-gb-qt4-webkit
      • kdelibs-webkit
      • qt-designer-plugin-webkit
  • Other developers:
    • Maintainers of the packages mentioned above may need to work on their packages.
  • Policies and guidelines:
    • No policy or guidelines updates necessary.

Upgrade/compatibility impact

Retired subpackages will be obsoleted by fedora-obsolete-packages. Others will remain as leafs.

How To Test

Nothing to test really, packages will just disappear.

User Experience

Some old applications will disappear.

Dependencies

See above.

Contingency Plan

None.

Release Notes

Fedora 37 will drop the unmaintained and insecure qtwebkit package.