qt5-qtwebkit is annulen's fork of QtWebKit, which is based on WebKitGTK 2.12 from early 2016. It's affected by hundreds of CVEs, mostly remote code execution vulnerabilities, detailed from WSA-2016-0006 to present at https://webkitgtk.org/security.html. annulen has been working on updating it, but it's slow going and frankly much too late. We shouldn't have a totally unsandboxed web engine in Fedora that has gone four years with no security updates. I suggest that it's time for this package, and everything that depends on it, to disappear from Fedora. Dependencies should migrate to QtWebEngine if possible, or remove web views entirely if not. $ repoquery --whatrequires qt5-qtwebkit Last metadata expiration check: 0:09:18 ago on Wed 26 Aug 2020 11:43:11 AM CDT. CutyCapt-0:0-0.17.20130714svn.fc32.x86_64 arc-gui-clients-0:0.4.6-21.fc32.x86_64 arc-gui-clients-0:0.4.6-22.fc32.x86_64 calamares-webview-0:3.2.11-7.fc32.x86_64 choqok-0:1.6.0-12.fc32.i686 choqok-0:1.6.0-12.fc32.x86_64 choqok-0:1.7.0-1.fc32.i686 choqok-0:1.7.0-1.fc32.x86_64 copyq-0:3.10.0-1.fc32.x86_64 copyq-0:3.12.0-1.fc32.x86_64 freecad-1:0.18.4-10.fc32.x86_64 freecad-1:0.18.4-6.fc32.x86_64 gambas3-gb-qt5-webkit-0:3.14.3-2.fc32.x86_64 goldendict-0:1.5-0.27.RC2.fc32.x86_64 k3b-1:19.08.3-3.fc32.x86_64 kchmviewer-0:7.7-1.fc32.x86_64 kdevelop-libs-9:5.5.0-3.fc32.i686 kdevelop-libs-9:5.5.0-3.fc32.x86_64 kdevelop-libs-9:5.5.2-1.fc32.i686 kdevelop-libs-9:5.5.2-1.fc32.x86_64 kexi-libs-0:3.1.0-7.fc32.i686 kexi-libs-0:3.1.0-7.fc32.x86_64 kf5-kdewebkit-0:5.68.0-1.fc32.i686 kf5-kdewebkit-0:5.68.0-1.fc32.x86_64 kf5-kdewebkit-0:5.70.0-1.fc32.i686 kf5-kdewebkit-0:5.70.0-1.fc32.x86_64 kf5-libkgeomap-0:19.12.2-1.fc32.i686 kf5-libkgeomap-0:19.12.2-1.fc32.x86_64 kmymoney-0:5.0.8-2.fc32.x86_64 kmymoney-0:5.1.0-1.fc32.x86_64 kmymoney-libs-0:5.0.8-2.fc32.i686 kmymoney-libs-0:5.0.8-2.fc32.x86_64 kmymoney-libs-0:5.1.0-1.fc32.i686 kmymoney-libs-0:5.1.0-1.fc32.x86_64 kreport-0:3.2.0-1.fc32.i686 kreport-0:3.2.0-1.fc32.x86_64 ktorrent-libs-0:5.1.2-2.fc32.i686 ktorrent-libs-0:5.1.2-2.fc32.x86_64 kvirc-0:5.0.0-8.fc32.i686 kvirc-0:5.0.0-8.fc32.x86_64 kwebkitpart-0:1.4.0-0.6.20190110.fc32.i686 kwebkitpart-0:1.4.0-0.6.20190110.fc32.x86_64 libalkimia-qt5-0:8.0.2-2.fc32.i686 libalkimia-qt5-0:8.0.2-2.fc32.x86_64 libalkimia-qt5-0:8.0.3-1.fc32.i686 libalkimia-qt5-0:8.0.3-1.fc32.x86_64 libssrfmarblewidget-0:4.6.2-9.fc32.i686 libssrfmarblewidget-0:4.6.2-9.fc32.x86_64 nextcloud-client-0:2.6.4-2.fc32.i686 nextcloud-client-0:2.6.4-2.fc32.x86_64 nextcloud-client-0:2.6.5-2.fc32.i686 nextcloud-client-0:2.6.5-2.fc32.x86_64 notepadqq-0:1.4.8-10.fc32.x86_64 otter-browser-0:1.0.01-4.fc32.x86_64 otter-browser-0:1.0.81-0.1.git3dc40e8.fc32.x86_64 psi-0:1.4-4.fc32.x86_64 psi-plugins-0:1.4-4.fc32.x86_64 psi-plus-1:1.4.654-6.fc32.x86_64 python3-qgis-0:3.12.1-1.fc32.i686 python3-qgis-0:3.12.1-1.fc32.x86_64 python3-qgis-0:3.12.1-4.fc32.i686 python3-qgis-0:3.12.1-4.fc32.x86_64 python3-qt5-webkit-0:5.13.2-5.fc32.x86_64 python3-qt5-webkit-0:5.14.2-3.fc32.x86_64 qgis-0:3.12.1-1.fc32.i686 qgis-0:3.12.1-1.fc32.x86_64 qgis-0:3.12.1-4.fc32.i686 qgis-0:3.12.1-4.fc32.x86_64 qgis-grass-0:3.12.1-1.fc32.i686 qgis-grass-0:3.12.1-1.fc32.x86_64 qgis-grass-0:3.12.1-4.fc32.i686 qgis-grass-0:3.12.1-4.fc32.x86_64 qgis-server-0:3.12.1-1.fc32.i686 qgis-server-0:3.12.1-1.fc32.x86_64 qgis-server-0:3.12.1-4.fc32.i686 qgis-server-0:3.12.1-4.fc32.x86_64 qt5-0:5.13.2-2.fc32.noarch qt5-qtwebkit-devel-0:5.212.0-0.42.alpha3.fc32.i686 qt5-qtwebkit-devel-0:5.212.0-0.42.alpha3.fc32.x86_64 qt5-qtwebkit-devel-0:5.212.0-0.46.alpha4.fc32.i686 qt5-qtwebkit-devel-0:5.212.0-0.46.alpha4.fc32.x86_64 quiterss-0:0.19.2-3.fc32.x86_64 quiterss-0:0.19.4-1.fc32.x86_64 qutebrowser-0:1.10.1-1.fc32.noarch recoll-0:1.26.5-1.fc32.i686 recoll-0:1.26.5-1.fc32.x86_64 recoll-0:1.27.3-1.fc32.i686 recoll-0:1.27.3-1.fc32.x86_64 rkward-0:0.7.1-1.fc32.x86_64 rocs-0:19.12.2-1.fc32.i686 rocs-0:19.12.2-1.fc32.x86_64 seafile-client-0:7.0.4-2.fc32.x86_64 sigil-0:0.9.14-4.fc32.x86_64 signon-ui-0:0.15-13.fc32.x86_64 skrooge-libs-0:2.20.0-5.fc32.i686 skrooge-libs-0:2.20.0-5.fc32.x86_64 skrooge-libs-0:2.22.1-1.fc32.i686 skrooge-libs-0:2.22.1-1.fc32.x86_64 trojita-0:0.7.0.1-0.5.20191104git36b0587.fc32.x86_64 umbrello-0:19.12.2-1.fc32.x86_64 vacuum-im-0:1.3.0-0.17.20191014git9f3952b.fc32.i686 vacuum-im-0:1.3.0-0.17.20191014git9f3952b.fc32.x86_64 vacuum-im-0:1.3.0-0.18.20200608gitb6c5dad.fc32.i686 vacuum-im-0:1.3.0-0.18.20200608gitb6c5dad.fc32.x86_64 webvfx-0:1.2.0-1.fc32.i686 webvfx-0:1.2.0-1.fc32.x86_64 wkhtmltopdf-0:0.12.5-1.fc32.3.i686 wkhtmltopdf-0:0.12.5-1.fc32.3.x86_64 wkhtmltopdf-0:0.12.6-1.fc32.i686 wkhtmltopdf-0:0.12.6-1.fc32.x86_64 zeal-0:0.6.1-5.fc32.x86_64
See also bug #1872823 for the original qtwebkit package.
This is just not practical at this time. We're already happy if we can get rid of Qt4WebKit.
Instead of killing qt5-qtwebkit entirely, should we maybe try shipping a snapshot from annulen's qtwebkit-dev or qtwebkit-dev-wip branches?
You could talk to him about that, but I understand it's not ready for distros yet. If it was, he would release it. I don't think it's a sustainable strategy anyway. Last commit to his development branch is in April. It's based on WebKit trunk from October last year. That's a lot better than 2016, but we've had a couple dozen CVEs since then that aren't yet fixed there. Even if we were to update now, before it's ready, we'll wind up back in the same place before long. QtWebKit has no future unless someone has $$$$$$/year to hire a small team of devs to help out. Surely it would be better to focus on porting apps to QtWebEngine and removing apps that cannot be ported. BTW, popular applications will not port themselves without a flag date. The clear set date at which WebKitGTK was to be removed from Fedora was the only way we managed to get WebKitGTK apps ported.
One big problem with QtWebEngine is that it is based on Chromium whose upstream rejects almost any contribution, as a result there no official support for eg. ppc64le in QtWebEngine :-(
So I actually forgot about this, but there is also QtWPE, which is basically WebKitGTK with all the usual GNOME deps, except with the GTK dependency removed, a QtWebKit API layered on top, and friendly non-abandoned upstream. I haven't tried it and I assume desktop integration will be a lot worse, but in theory it should be API-compatible, and at least it should receive security updates shortly after WebKitGTK. Maybe that's the path forward? (We would probably be first to attempt replacing it at the distro level....)
(In reply to Michael Catanzaro from comment #4) > You could talk to him about that, but I understand it's not ready for > distros yet. If it was, he would release it. Well, I would rather ship an experimental version of QtWebKit than none at all. > BTW, popular applications will not port themselves without a flag date. The > clear set date at which WebKitGTK was to be removed from Fedora was the only > way we managed to get WebKitGTK apps ported. That assumes that they care about being included in Fedora to begin with, which I think is much less of a motivation in the Qt/KDE world than in the GTK/GNOME world. And even for your WebKitGTK flag day, several popular applications were unable to meet it and were either removed or shipped with a bundled WebKitGTK (which is really silly, because now instead of one copy of a vulnerable codebase, you have several of them). (In reply to Michael Catanzaro from comment #6) > So I actually forgot about this, but there is also QtWPE, which is basically > WebKitGTK with all the usual GNOME deps, except with the GTK dependency > removed, a QtWebKit API layered on top, and friendly non-abandoned upstream. From your link: > WPEQt provides a QML plugin implementing […] but pretty much all the QtWebKit users are QWidgets applications, not QML applications. So this is not going to be a viable alternative for them.
(In reply to Kevin Kofler from comment #7) > And even for your WebKitGTK flag day, several popular applications were > unable to meet it and were either removed or shipped with a bundled > WebKitGTK (which is really silly, because now instead of one copy of a > vulnerable codebase, you have several of them). Which applications do still ship a bundled outdated webkitgtk? I only know of GnuCash which did this for a while but GnuCash only used it to display self-generated charts (i.e. trustworthy/safe content). And I think it does not do so any more. Also, I doubt any other package does as the following command lists no package: $ dnf repoquery --whatprovides webkitgtk A linux distribution like Fedora is also about responsibility for our users. Having this extremely unsecure code interact with untrustworthy content like websites is a huge risk for our users basically handing out their computers and data to any criminal hacker. When recommending people to use Fedora I don't want to care about telling them which packages not to install. In case you object this responsibility, why don't we make all the other security features (like PIE, privilege separation, passwords, …) optional?
It's pretty obvious at this point that volunteers to port packages are not going to emerge. Unless you set a flag date, like we did for WebKitGTK, you're going to be stuck with QtWebKit indefinitely. (In reply to Christian Stadelmann from comment #8) > Which applications do still ship a bundled outdated webkitgtk? I'm not aware of any doing so.
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle. Changing version to 37.
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Package still exists, problem still there on F39.