Ubuntu
epiphany-browser package

[MIR] epiphany-browser-runtime

Bug #1689317 reported by Jeremy Bícha
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
epiphany-browser (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Availability
============
Co-maintained with Debian GNOME. Built for all supported architectures.

Changes from Debian:
- Update to 3.24
- 07_bookmarks.patch: Add Ubuntu default bookmarks (as seen in Firefox)
- add_new_window_action.patch: Backported from 3.25, improves Unity integration a bit
- ubuntu_titlebars.patch: headerbar revert when run in Unity 7

Rationale
=========
Needed for Ubuntu to have a proper webapp feature, particularly for Amazon in the default install (LP: #1688627)
The alternatives are to either
1) ship Chromium, or
2) water down the webapp feature to just be basically a bookmark which would have poor desktop integration and wouldn't really be a webapp at all,
3) or drop the webapp feature from the default install

Security
========
The most recent fixed security bug is LP: #1661805 (fixed in 16.04 LTS and up)

https://security-tracker.debian.org/tracker/source-package/epiphany-browser
https://launchpad.net/epiphany-browser/+cve

epiphany-browser is far smaller than either Firefox or Chromium since most of its browser functionality (and security vulnerability) is provided by webkit2gtk.

epiphany does not support HSTS https://bugzilla.gnome.org/628298

New in epiphany 3.24 is off-by-default support for integrated HTTPS Everywhere using libhttpseverywhere (not yet packaged in Debian/Ubuntu) https://git.gnome.org/browse/libhttpseverywhere

Epiphany currently has no support for webextensions. NPAPI plugins are still supported.

Quality assurance
=================
The Desktop Bugs and Desktop Packages teams are already subscribed.

https://bugs.launchpad.net/ubuntu/+source/epiphany-browser
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=epiphany-browser
https://bugzilla.gnome.org/buglist.cgi?quicksearch=product%3A"epiphany"

No autopkgtest.

Tests aren't being run because of https://bugzilla.gnome.org/782246 Once that's fixed, we'll be sure to make failed tests fail the build.

Dependencies
============
There are 2 binary universe dependencies, browser-plugin-evince (for integrated PDF viewing) and libwebkit2gtk-4.0-37-gtk2 (for Flash support, but see LP: #1689313). Both of those already have their sources in main and neither is required for basic webapps.

Standards compliance
====================
3.9.8

Maintenance
===========
- Actively developed upstream (the primary developer is paid to work on webkitgtk)
https://git.gnome.org/browse/epiphany-browser

dh7-style short rules, compat level 10

3.25.1 uses meson for building instead of autotools.

Debian packaging uses svn, but we're hoping to convert to git this year (which will allow for Ubuntu branches):
https://sources.debian.net/src/epiphany-browser/unstable/debian/

Background information
======================
The intent here is to split epiphany-browser into 2 packages. The existing package would only contain the .desktop and appstream metadata and depend on the other package (provisionally named epiphany-browser-runtime) which would contain /usr/bin/epiphany-browser and the rest of the app. This is what Fedora does so that they can continue to have only one browser in the default install (Firefox) but still support webapps.

Therefore, only epiphany-browser-runtime and epiphany-browser-data would be in main; the other epiphany-browser package would remain in universe.

I intend to upload this split version to Ubuntu but I want to see if I can get feedback from Debian about the proposed package name and split first.

epiphany was in main until Ubuntu 9.10 "Karmic" (no MIR).

See original description
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

We should probably try to avoid shipping more than one browser by default. Currently we ship Firefox (and shipping a browser on live images is up to the Desktop team, AFAIK). The package split appears to make sense to provide just the webapp integration feature (but it's not done yet).

I have not made a full review of epiphany yet; I think given it's a browser and has has security history (despite most issues would be caused by webkit2gtk if anything), it would benefit a proper Security team review.

Changed in epiphany-browser (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Adam Conrad (adconrad) wrote :

While the discussion is ongoing, the security team already NACKed this in:

https://bugs.launchpad.net/ubuntu/+source/webapps-applications/+bug/1688627

Emily Ratliff (emilyr)
Changed in epiphany-browser (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Marking incomplete / unassigning; the Security Team NAKed this MIR in a different bug already, so if it's still needed and deemed appropriate (including the previous comment about how it means we might ship multiple browsers), then please set this back to New.

Changed in epiphany-browser (Ubuntu):
status: New → Incomplete
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm unsubscribing ubuntu-mir for now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for epiphany-browser (Ubuntu) because there has been no activity for 60 days.]

Changed in epiphany-browser (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.