The webkitgtk package will be removed from rawhide after Fedora 26 is branched due to the high number of unfixed security vulnerabilities. You must remove this dependency or your package will not be present in Fedora 27. Please refer to [1] for a FAQ on this matter and be advised that for some packages this may require a substantial amount of work. [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/AKVB363GFCHHJ5MTHGVYHYT6NLLTF5VM/
Sigh. I suppose I should start kicking the flatpak tires. In any case, this is for viewing local account data charts that comes from goffice. It's not processing untrusted input.
(In reply to Bill Nottingham from comment #1) > In any case, this is for viewing local account data charts that comes from > goffice. It's not processing untrusted input. If it has a file chooser dialog, then surely it can open untrusted files? Of course the risk is lower here than for a web browser or office suite, so you might be able to get a bundling exception.
Untrusted in the abstract sense that they come from the filesystem, I suppose. But the vector would be something like: - please open this gnucash account data I sent you, pretty please - oh and please run this report on the account - which then, due to the account values/data in the XML/sqlite file, somehow causes goffice to render WebKit-exploiting HTML - which then is viewed by WebKit, causing an exploit Not saying it can't be done, but the use case causing it would be somewhat far fetched.
OK that's a lot of steps, you might be able to get a bundling exception. We do have flatpak support working well in Software, but I don't think it's integrated into Fedora yet; not sure if that will land prior to F27. It'd be unfortunate if going the flatpak route means users can't find gnucash with a simple search.
(In reply to Michael Catanzaro from comment #4) > OK that's a lot of steps, you might be able to get a bundling exception. You're not seriously considering that this, and a few other packages, should *bundle* webkitgtk, instead of allowing them to continue using a webkitgtk package? While it is certainly desirable to move packages away from older webkitgtk, I don't see how it can be removed until *everything* is off it. (Not to mention that there isn't yet a mingw-webkitgtk4 to replace mingw-webkitgtk.)
Yes, you need to bundle it and build it as part of the RPM package build, as we do not want to provide such a version of WebKit that we cannot maintain as a system library, sorry. GnuCash really should have upgraded three or four years ago. (In reply to Yaakov Selkowitz from comment #5) > While it is certainly desirable to move packages away from older > webkitgtk, I don't see how it can be removed until *everything* is off it. > (Not to mention that there isn't yet a mingw-webkitgtk4 to replace > mingw-webkitgtk.) Then we'd be waiting forever, since most of this software will never be ported, sad to say.
gnucash upstream is working on this. > We have shifted our priorities for gnucash 2.8 because of this issue and will > focus on getting this solved. This entails completing our port to gtk3 first. > Expect this to be worked on in the coming weeks/months [2017-02-07]. ... > The goffice dependency will be resolved as well. I'm currently finishing work > on a branch that drops our dependency on goffice completely. I expect to merge > it this month. So maybe everything will pan out just fine (even if gnucash is a bit behind in migrating to newer API), upstream bug is https://bugzilla.gnome.org/show_bug.cgi?id=751635#c5
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
(In reply to Felix Schwarz from comment #7) > So maybe everything will pan out just fine (even if gnucash is a bit behind > in migrating to newer API), upstream bug is > https://bugzilla.gnome.org/show_bug.cgi?id=751635#c5 Sounds like upstream developers have had good progress. webkitgtk was removed from rawhide last week, so gnucash is surely now broken. Hopefully that can be fixed soon thanks to the upstream work.
Yep, I'll fix up rawhide this week sometime (sorry about not being on top of it).
Or... not so much this week. Sorry. In any case, fixed in 2.6.17-2.
Be sure to add a Provides as per https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#Bundling_and_Duplication_of_system_libraries
Added in git, will show up whenever it gets built again.
I came across this kinda randomly, and just had one note on it. As well as having the virtual 'bundled(webkitgtk)' Provide that it *ought* to have, gnucash actually advertises providing the library: [adamw@adam gnucash (master)]$ sudo dnf repoquery --provides gnucash | grep webkit bundled(webkitgtk) = 2.4.11 libwebkitgtk-1.0.so.0()(64bit) *should* it do that? It installs the library to a subdirectory of $(libdir), so it's not actually on the default library resolving path, and it doesn't seem to provide an ldconfig snippet to add that directory to the path, so I don't think it really *does* 'provide' the library in a way anything else could realistically use. Also, I just don't think we really intend for a case like this to 'provide' the library for anything else to use, right? I guess this is an automatic provision; if it is indeed unwanted, those can be suppressed, see https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering for details.