Move to webkit2gtk in main

This bug was fixed in the package apturl - 0.5.2ubuntu8

---------------
apturl (0.5.2ubuntu8) wily; urgency=medium

  * Use webkit2 in addition to webkit1. (LP: #1469221)

 -- Iain Lane <email address hidden> Tue, 30 Jun 2015 12:59:59 +0100

BTW I don't think this is going to happen for 15.10 - upstreams haven't fully caught up with this yet.

I'm working on ports but we won't be able to support two webkits in main so things need to remain wk1 compatible until we switch.

Hi, upstream WebKit developer here. I just want to mention that WebKit1 is no longer receiving security updates, so if you only want one version in main, it would be good to use WebKit2 instead if possible. Porting everything to WebKit2 is going to be a years-long process, I'm afraid, though your help could speed that up a lot (thanks!).

(I guess this doesn't make too much difference for you, since I see your WebKit2 package is still on 2.6.2 from last October. Imagine not updating Firefox in that time. Maybe you don't realize, but each new version includes fixes for mistakes that allow web sites to take control of your computer. 2.6.5 includes a fix for a mistake in the TLS code that results in your session cookies being sent to attackers. We are unfortunately very bad at announcing these problems and need to do better. Anyway, the current recommended version is 2.8.3.)

Also, as a warning, it is a huge task to port one of the email clients. There is upstream work on editor API to make it a bit easier.

Status changed to 'Confirmed' because the bug affects multiple users.

The devhelp package in main has just dropped the delta to use webkitgtk instead of webkit2gtk:

  https://launchpad.net/ubuntu/+source/devhelp/3.18.1-1ubuntu1

Laney, what's the status of this bug? Is this transition moving forward for xenial? Do we need an MIR for webkit2gtk or just a committment to remove webkitgtk from main in favor of w2g? Should we pre-promote webkit2gtk to main to unblock things like devhelp, and mark this a critical bug against webkitgtk?

Hi Steve,

I just reuploaded webkit to put the dependencies back to the version of WK2 shipped by webkitgtk in main.

The status of this bug is that we aren't actively working on it, although it is still a goal. Some of the packages are very difficult to port, not least the email clients, and would be best done by the upstream developers.

I put a note to myself to have another look in a few weeks. It may be possible to demote some of the rdepends (for example evolution and empathy) which could make the remaining set tractable for us to handle.

Cheers,
Iain

How about another angle, we drop the ancient webkit2gtk build from webkitgtk source and add webkit2gtk to main? thats gotta be better than the current situation, and the transition from webkit2gtk-3.0 to -4.0 should be easy

I've just spent a while pushing on this again. I think it's going to be possible.

ppa:laney/wk2 contains staged uploads.

Reverse-Build-Depends-Indep
===========================
* sphinx (for gir1.2-webkit-3.0) # unused, remove

Reverse-Build-Depends
=====================
* devhelp (for libwebkit2gtk-3.0-dev) # has Ubuntu patch, drop
* empathy (for libwebkitgtk-3.0-dev) # demote
* evolution (for libwebkitgtk-3.0-dev) # demote
* gnome-online-accounts (for libwebkitgtk-3.0-dev) # has Ubuntu patch, drop
* libproxy (for libwebkitgtk-3.0-dev) # distro patch
* libproxy (for libjavascriptcoregtk-3.0-dev) # ditto
* rhythmbox (for libwebkitgtk-3.0-dev) # Ported, submitted upstream, drop one plugin which is busted anyway
* shotwell (for libwebkitgtk-3.0-dev) # Ported, submitted and committed upstream, upload snapshot
* ubiquity (for gir1.2-webkit-3.0) # Ported, MPed
* unity-control-center (for libwebkitgtk-3.0-dev) # Ported, MPed
* webapps-applications (for gir1.2-webkit-3.0) # Ported, MPed
* yelp (for libwebkitgtk-3.0-dev) # Ported upstream in 3.18
* zenity (for libwebkitgtk-3.0-dev) # has Ubuntu patch, drop

Additionally, there is

Reverse-Depends
===============
* apturl (for gir1.2-webkit-3.0) # ported
* software-center (for gir1.2-webkit-3.0) # ported, MPed (possibly needs more testing)
* ubuntu-release-upgrader-gtk (for gir1.2-webkit-3.0) # ported, MPed

This bug was fixed in the package software-center - 16.01+16.04.20160217

---------------
software-center (16.01+16.04.20160217) xenial; urgency=medium

  * Port to WebKit 2 (LP: #1469221)

 -- Iain Lane <email address hidden> Wed, 17 Feb 2016 13:47:38 +0000

FWIW:

        # enable certificates validation in webkit views unless specified otherwise
        if "SOFTWARE_CENTER_FORCE_DISABLE_CERTS_CHECK" in os.environ:
            context.set_tls_errors_policy(webkit.TLSErrorsPolicy.IGNORE)
            # WARN the user!! Do not remove this
            LOG.warning("SOFTWARE_CENTER_FORCE_DISABLE_CERTS_CHECK " +
                        "has been specified, all purchase transactions " +
                        "are now INSECURE and UNENCRYPTED!!")

Is not accurate, you are still going to have encryption. It just might be an encrypted connection to some attacker. :)

Thanks Michael ;-)

  https://code.launchpad.net/~laney/software-center/ssl-disable-cert-wording/+merge/286512

The real reason I came to this bug is to mark the tasks Fix Released. Ubuntu's "main" is going to be webkit2 only shortly. The desktop image (a subset of main) already is. This still leaves both versions in Ubuntu as a whole of course - webkit 1 is only going to Universe.

@Iain Lane
Great progress! Only one "webkit1" package in default is: libqt5webkit!
signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends on libqt5webkit5

Can it be resolved so new LTS wont be released with known webkit1 bugs/security exploits?

Bug 1588150 opened to track the future removal of webkitgtk