Ubuntu policy for WebKit security updates?

Tue Sep 13 21:14:50 UTC 2016

This article from Michael Catanzaro is sobering:

https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

It essentially makes two points:

1. WebKit 1 contains many security vulnerabilities that will probably 
never be fixed, and yet some apps (e.g. Geary, GnuCash) still depend on 
it.

2. For WebKit 2, the WebKit team fixes vulnerabilities only in its 
latest stable and unstable versions, yet many distributions including 
Ubuntu don't generally upgrade users to these versions, and don't 
backport security fixes to previous versions (which would be hard).

Considering this second point, Xenial (16.04 LTS) contains 
libwebkit2gtk-4.0 version 2.10.9-1ubuntu1, which was apparently last 
updated in March 2016.  It is presumably vulnerable to all the security 
bugs in WebKitGTK's more recent security advisories, which include 
numerous arbitrary code execution vulnerabilities:

  https://webkitgtk.org/security/WSA-2016-0004.html
  https://webkitgtk.org/security/WSA-2016-0005.html

As Michael points out, this is concerning because many apps (including 
Epiphany, which I often use for browsing) use WebKit.  He writes:

  Some of the more notable users include Anjuta, Banshee, Bijiben 
(GNOME Notes), Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, 
GNOME Builder, GNOME Documents, GNOME Initial Setup, GNOME Online 
Accounts, GnuCash, gThumb, Liferea, Midori, Rhythmbox, Shotwell, Sushi, 
and Yelp (GNOME Help).

It appears that Ubuntu has three policy choices:

1) Upgrade users of existing Ubuntu releases such as Xenial to newer 
stable WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities 
are fixed).  The cost of this is potential breakage if a new version of 
WebKit 2 isn't completely compatible with the old.  As Michael points 
out, WebKit 2 "ensures that each release maintains both API and ABI 
compatibility", but of course bugs are possible and he admits that 
"there is some risk" that an update could break something.

2) Backport all security fixes to older WebKit versions such as 2.10.  
This is almost certainly impractical.

3) Keep users at existing WebKit 2 versions with known vulnerabilities 
(e.g. 2.10.9 in Xenial).

Has Ubuntu consciously chosen policy (3) over (1)?  If so, this feels 
unwise to me.  I think the breakage in (1) would probably be minimal 
since I've often built a newer WebKit 2 on an existing Ubuntu release 
and it has always worked fine in existing apps as far as I can tell.

adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-desktop/attachments/20160913/fc35a014/attachment.html>