jonathan.riddell at canonical.com
Fri Dec 23 19:08:54 UTC 2011
> While it is true that KDE and Qt do provide predisclosure and active
> security updates, they have already stopped providing this support for
> the versions of KDE in 10.04 LTS, and 10.04 is only 2.5 years into its
> LTS. Is there a firm commitment from upstream regarding their support
> for KDE4 (especially considering they will be busy with KDE/Qt 5) for 5
Yes KDE will provide the same security support for 4.8 as they do for every
other release which is to provide patches for trunk and the latest two
releases. This policy is well published unlike say Gnome which doesn't have a
policy that I can find.
Qt is part of Ubuntu Desktop so it's already LTS for 5 years. Nokias security
policy is not as clear as it should be but tends to be the same as KDE's,
trunk and the last two releases.
> Also, KDE/Qt has not provided any assistance with qtwebkit and this is
> putting their users at risk. I strongly advise that Kubuntu move to
> Ubuntu's supported browser, Firefox so that users may continue to get
> timely security updates for their browser-- arguably one of the most
> important applications for any desktop user.
Qt's support of QtWebKit is not great, they put patches into master but don't
make them for previous versions. This is equivalent to say Firefox who also
don't make updates available for past releases. We could treat QtWebKit like
Firefox and SRU new versions.
Changing Kubuntu to use Firefox goes against what makes Kubuntu a unique
product of promoting the best of KDE software, although other members of the
Kubuntu team feel differently.
> Furthermore, while the Ubuntu Security team has been performing security
> updates for Kubuntu, the support from the Kubuntu community has waned in
> this regard. At this point, we still get patch URLs, but often debdiffs
> are only for the latest release (or maybe where the patch applies
Community members have never been that thrilled about doing the tedious work
of security updates. Since Kubuntu is a Canonical supported product I've
always considered security updates to be Canonical's job and as such I've done
it unless I notice the security team acting on it. Now that I'm back on
Kubuntu I expect to do most of these in the future.
More information about the technical-board