Qtwebkit removal
Summary
Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs. Also, it requires qt-location, which does not build against current proj versions. It's time to remove qtwebkit from the distribution. See also #1711519
Owner
- Name: Sandro Mani
- Email: manisandro@gmail.com
Current status
- Targeted release: Fedora 34
- Last updated: 2020-11-06
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:
- amarok-0:2.9.0-9.fc33.x86_64
=> Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok)
- arora-0:0.11.0-23.fc33.x86_64
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
- brewtarget-0:2.1.0-16.fc33.x86_64
=> Upgrade to 2.3.0 release which supports Qt5
- gambas3-gb-qt4-webkit-0:3.15.2-1.fc34.x86_64
=> Drop subpackage
- kde-runtime-libs-0:17.08.3-15.fc33.x86_64
=> Can be compiled without kdelibs-webkit support
- kde-workspace
=> Can be patched to compile without kdelibs-webkit support, it has been done by RHEL.
- kdelibs-webkit-6:4.14.38-23.fc34.x86_64
=> Drop subpackage
- knode-libs-0:4.14.10-44.fc33.x86_64
=> Required by knode, an newsreading application, part of kdepim4. It should be possible to build kdepim4 with QTextBrowser as the HTML viewer instead (KDEPIM_NO_WEBKIT CMake flag), we need to give this a try. Retiring kdepim4 is not an option because there is no replacement for KNode.
- krecipes-0:2.1.0-12.fc33.x86_64
=> Recipes application, dead upstream. This one uses mainly KHTML. The QtWebKit dependency is used only in a workaround for printing because KHTML has bugs with printing. We can either drop the workaround, or find another workaround, or disable printing entirely. There is no replacement, and the QtWebKit dependency can be dropped, so we should not retire this package. See [1].
- ksysguard-libs-1:4.11.22-28.fc33.x86_64
=> Part of kde-workspace, see below.
- libkfbapi-0:1.0-16.fc32.x86_64
=> Leaf, retire
- python3-PyQt4-webkit-0:4.12.3-13.fc33.x86_64
=> Leaf, retire
- qlandkartegt-0:1.8.1-28.fc33.x86_64
=> Retire
- qmc2-0:0.195-14.fc34.x86_64
=> Latest trunk supports Qt5
- qt-assistant-1:4.8.7-57.fc34.x86_64
=> Build against QTextBrowser instead, which is supported as a fallback. This will degrade rendering quality, but it is better than dropping the package entirely.
- qt-demos-1:4.8.7-57.fc34.x86_64
=> Drop the demos that depend on QtWebKit (or the entire subpackage)
- qt-designer-plugin-webkit-1:4.8.7-57.fc34.x86_64
=> Drop subpackage
- qt-examples-1:4.8.7-57.fc34.x86_64
=> Drop the examples that depend on QtWebKit (or the entire subpackage)
- qt4pas-0:2.5-21.fc33.x86_64
=> Leaf, retire
- qtscriptbindings-0:0.2.0-23.fc33.x86_64
=> Part of qtscriptgenerator, Only required by amarok. Retire.
- rekonq-0:2.4.2-17.fc33.x86_64
=> Browser. Retire, no-one should be using this considering the CVEs in qtwebkit. Users should use a QtWebEngine browser such as Falkon instead. Obsoletes can be added to the falkon package.
- timetablemate-0:0.10-0.24.20111204git.fc32.x86_64
=> Subpackage of the Plasma 4 Public Transport applet (kde-plasma-publictransport), last activity in 2013. Retire.
Feedback
Benefit to Fedora
Removal obsolete and insecure packages
Scope
- Proposal owners:
The following packages will be updated:
- amarok: latest git
- brewtarget: 2.3.0
- qmc2: latest trunk
The following packages will be retired:
- arora
- kdepim4
- krecipes
- kwooty
- libkfbapi
- qlandkartegt
- qt4pas
- qtscriptgenerator
- rekonq
- timetablemate
The following subpackages will be removed, and added to fedora-obsolete-packages:
- gambas3-gb-qt4-webkit
- kdelibs-webkit
- qt-assistant
- qt-demos
- qt-designer-plugin-webkit
- qt-examples
- Other developers:
No work should be needed from other developers.
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines:
No policy or guidelines updates necessary.
Upgrade/compatibility impact
Retired subpackages will be obsoleted by fedora-obsolete-packages. Others will remain as leafs.
How To Test
Nothing to test really, packages will just disappear.
User Experience
Some old applications will disappear.
Dependencies
See above.
Contingency Plan
None.
Release Notes
Fedora 34 will drop the unmaintained and insecure qtwebkit package.