Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#777608: zenity: depends on libwebkitgtk which doesn't have security support
37 views
Skip to first unread message
Török Edwin
Feb 10, 2015, 11:30:02 AM2/10/15
to
Package: zenity
Version: 3.14.0-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
Install debian-security-support package and try to remove the packages
that don't have security support.
* What exactly did you do (or not do) that was effective (or
ineffective)?
$ check-support-status
* Source:webkitgtk
Details: No security support upstream and backports not feasible, only for
use on trusted content
Affected binary packages:
- libjavascriptcoregtk-3.0-0:amd64 (installed version: 2.4.8-1)
- libwebkitgtk-3.0-0:amd64 (installed version: 2.4.8-1)
- libwebkitgtk-3.0-common (installed version: 2.4.8-1)
# apt-get purge libwebkitgtk-3.0-0
* What was the outcome of this action?
The following packages will be REMOVED:
libwebkitgtk-3.0-0* marco* mate-desktop-environment*
mate-desktop-environment-core* mate-media* mate-media-pulse*
task-mate-desktop* zenity*
The following NEW packages will be installed:
mate-media-gstreamer
* What outcome did you expect instead?
The desktop environment to stay installed.
MATE, Cinnamon (and Gnome too) depend on zenity, which depends on libwebkitgtk-3.0-0.
FWIW KDE depends on kdelibs4, where check-security-support complains about
khtml. I haven't checked XFCE and LXDE.
I see that zenity has a configure flag to enable/disable webkit support,
would it be possible to provide a zenity-nohtml package that would
"Provides: zenity" so I can keep my *DE installed without depending on a package that has
no security support?
(Or have a zenity-html and zenity-nohtml package both providing the virtual
zenity package, and using recommends somehow to choose the html version by
default?)
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages zenity depends on:
ii libc6 2.19-13
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.42.1-1
ii libgtk-3-0 3.14.5-1
ii libnotify4 0.7.6-2
ii libpango-1.0-0 1.36.8-3
ii libwebkitgtk-3.0-0 2.4.8-1
ii libx11-6 2:1.6.2-3
ii zenity-common 3.14.0-1
zenity recommends no packages.
zenity suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 3.14.0-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
Install debian-security-support package and try to remove the packages
that don't have security support.
* What exactly did you do (or not do) that was effective (or
ineffective)?
$ check-support-status
* Source:webkitgtk
Details: No security support upstream and backports not feasible, only for
use on trusted content
Affected binary packages:
- libjavascriptcoregtk-3.0-0:amd64 (installed version: 2.4.8-1)
- libwebkitgtk-3.0-0:amd64 (installed version: 2.4.8-1)
- libwebkitgtk-3.0-common (installed version: 2.4.8-1)
# apt-get purge libwebkitgtk-3.0-0
* What was the outcome of this action?
The following packages will be REMOVED:
libwebkitgtk-3.0-0* marco* mate-desktop-environment*
mate-desktop-environment-core* mate-media* mate-media-pulse*
task-mate-desktop* zenity*
The following NEW packages will be installed:
mate-media-gstreamer
* What outcome did you expect instead?
The desktop environment to stay installed.
MATE, Cinnamon (and Gnome too) depend on zenity, which depends on libwebkitgtk-3.0-0.
FWIW KDE depends on kdelibs4, where check-security-support complains about
khtml. I haven't checked XFCE and LXDE.
I see that zenity has a configure flag to enable/disable webkit support,
would it be possible to provide a zenity-nohtml package that would
"Provides: zenity" so I can keep my *DE installed without depending on a package that has
no security support?
(Or have a zenity-html and zenity-nohtml package both providing the virtual
zenity package, and using recommends somehow to choose the html version by
default?)
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages zenity depends on:
ii libc6 2.19-13
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.42.1-1
ii libgtk-3-0 3.14.5-1
ii libnotify4 0.7.6-2
ii libpango-1.0-0 1.36.8-3
ii libwebkitgtk-3.0-0 2.4.8-1
ii libx11-6 2:1.6.2-3
ii zenity-common 3.14.0-1
zenity recommends no packages.
zenity suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Simon McVittie
Jan 28, 2023, 7:10:03 AM1/28/23
to
Control: retitle -1 zenity: depends on WebKitGTK
Control: severity -1 wishlist
On Tue, 10 Feb 2015 at 18:22:52 +0200, Török Edwin wrote:
> * Source:webkitgtk
> Details: No security support upstream and backports not feasible, only for
> use on trusted content
This is no longer the case in any supported Debian release: WebKitGTK
receives security updates since Debian 10. (The security-supported version
is the webkit2gtk source package, rather than webkitgtk, but modern
versions of zenity use webkit2gtk.)
> I see that zenity has a configure flag to enable/disable webkit support,
> would it be possible to provide a zenity-nohtml package that would
> "Provides: zenity" so I can keep my *DE installed without depending on a package that has
> no security support?
The problem with that approach is that an unknown number of packages and
user scripts run `zenity --text-info --html ...`, which requires the
WebKit feature to be enabled. Until now, "Depends: zenity" has been a
correct way to declare a dependency on a HTML-capable version of zenity,
so we can't easily tell whether a package with "Depends: zenity" needs
that feature or not.
One possible alternative would be to provide a package without WebKit
HTML support, named zenity-minimal or zenity-nohtml or something, but
*not* add a Provides on the zenity name, and ask high-profile dependent
packages like mutter and metacity to update their dependency to
"Depends: zenity | zenity-minimal" if they don't need the HTML feature.
That seems quite a long way to go to avoid a dependency (typically Debian
packages enable all reasonable features, even if they come with extra
dependencies); but on the other hand, WebKitGTK is very large (and in fact
in my day job I maintain a fork of the zenity packaging with HTML disabled,
for the Steam Runtime), so maybe it's worth it.
smcv
Control: severity -1 wishlist
On Tue, 10 Feb 2015 at 18:22:52 +0200, Török Edwin wrote:
> * Source:webkitgtk
> Details: No security support upstream and backports not feasible, only for
> use on trusted content
receives security updates since Debian 10. (The security-supported version
is the webkit2gtk source package, rather than webkitgtk, but modern
versions of zenity use webkit2gtk.)
> I see that zenity has a configure flag to enable/disable webkit support,
> would it be possible to provide a zenity-nohtml package that would
> "Provides: zenity" so I can keep my *DE installed without depending on a package that has
> no security support?
user scripts run `zenity --text-info --html ...`, which requires the
WebKit feature to be enabled. Until now, "Depends: zenity" has been a
correct way to declare a dependency on a HTML-capable version of zenity,
so we can't easily tell whether a package with "Depends: zenity" needs
that feature or not.
One possible alternative would be to provide a package without WebKit
HTML support, named zenity-minimal or zenity-nohtml or something, but
*not* add a Provides on the zenity name, and ask high-profile dependent
packages like mutter and metacity to update their dependency to
"Depends: zenity | zenity-minimal" if they don't need the HTML feature.
That seems quite a long way to go to avoid a dependency (typically Debian
packages enable all reasonable features, even if they come with extra
dependencies); but on the other hand, WebKitGTK is very large (and in fact
in my day job I maintain a fork of the zenity packaging with HTML disabled,
for the Steam Runtime), so maybe it's worth it.
smcv
Simon McVittie
Jun 19, 2023, 9:40:05 AM6/19/23
to
On Sat, 28 Jan 2023 at 12:01:41 +0000, Simon McVittie wrote:
> On Tue, 10 Feb 2015 at 18:22:52 +0200, Török Edwin wrote:
> > I see that zenity has a configure flag to enable/disable webkit support,
> > would it be possible to provide a zenity-nohtml package that would
> > "Provides: zenity" so I can keep my *DE installed without depending on a package that has
> > no security support?
>
> The problem with that approach is that an unknown number of packages and
> user scripts run `zenity --text-info --html ...`, which requires the
> WebKit feature to be enabled. Until now, "Depends: zenity" has been a
> correct way to declare a dependency on a HTML-capable version of zenity,
> so we can't easily tell whether a package with "Depends: zenity" needs
> that feature or not.
Coming back to this after the Debian 12 release:
> On Tue, 10 Feb 2015 at 18:22:52 +0200, Török Edwin wrote:
> > I see that zenity has a configure flag to enable/disable webkit support,
> > would it be possible to provide a zenity-nohtml package that would
> > "Provides: zenity" so I can keep my *DE installed without depending on a package that has
> > no security support?
>
> The problem with that approach is that an unknown number of packages and
> user scripts run `zenity --text-info --html ...`, which requires the
> WebKit feature to be enabled. Until now, "Depends: zenity" has been a
> correct way to declare a dependency on a HTML-capable version of zenity,
> so we can't easily tell whether a package with "Depends: zenity" needs
> that feature or not.
Since then, I've found that the versions of zenity in various other
distributions (including at least Arch, Fedora and openSUSE) are built
with the WebKit feature disabled. This means that portable software cannot
safely assume that `zenity --text-info --html ...` will work, making it
less likely that we have packages in Debian that rely on that feature.
Now that we're at the beginning of the Debian 13 cycle, it's the right time
to be making disruptive changes, so my proposal is now:
- upload zenity with the WebKit feature disabled
- see whether there are bug reports
- if there are no bug reports, leave the feature disabled
- if lots of packages need the WebKit feature, re-enable it, and add a
zenity-minimal (or similar) that doesn't have it
- if only a few packages need the WebKit feature, add a zenity-full package
and ask those packages to switch their dependency
I'm hoping that the result will be: no bug reports, and the feature stays
disabled.
If there are no objections from GNOME team maintainers, I'll upload
this change to experimental shortly, and aim to upload to unstable by
the end of this month.
smcv
0 new messages