Please remove wpewebkit and block syncs from Debian
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cog (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
gst-plugins-bad1.0 (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
wpewebkit (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The wpewebkit package contains a whole webkit browser engine. It is currently not used by anything of substance in Ubuntu:
$ reverse-depends src:wpewebkit
Reverse-Depends
* cog (for libwpewebkit-1.1-0)
* gstreamer1.0-wpe (for libwpewebkit-1.1-0)
cog is a single-window browser for embedded devices that is not used by anything else in the archive.
gstreamer1.0-wpe is a plugin based on wpewebkit that is not used by anything else in the archive.
Using this browser engine on the Internet is very risky as it it not currently maintained and contains hundreds of security flaws, and maintaining it requires a tremendous amount of work.
As such, I don't believe this package is suitable for the Ubuntu archive.
I recommend we disable the build in gstreamer and remove both cog and wpewebkit, and put on block on syncs from Debian.
Changed in gst-plugins-bad1.0 (Ubuntu): | |
status: | New → Fix Committed |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in wpewebkit (Ubuntu): | |
status: | Incomplete → New |
Apologies if this is a silly question, but is it only not maintained in Ubuntu? A quick look at Debian Salsa reveals that webkit, wpewebkit, and cog all are actively maintained in Debian. Both are also actively developed on GitHub.
https:/ /salsa. debian. org/webkit- team/webkit webkit and wpewebkit maintenance /salsa. debian. org/berto/ cog cog maintenance /github. com/WebPlatform ForEmbedded/ WPEWebKit wpewebkit development /github. com/Igalia/ cog cog development
https:/
https:/
https:/
There may be legitimate uses for an embedded web browser in a non-Internet- connected environment, which cog and wpewebkit would provide (for instance, a clock in/clock out system or accessing company-provided web apps from lightweight devices). What if rather than removing it from Ubuntu entirely, we simply synced it from Debian to provide bug and security fixes in newer versions of Ubuntu, and put a warning in the package description that the package is not routinely updated and its use should be limited to known-secure environments, rather than use on the Web?
If this is a ridiculous idea, feel free to ignore me - I am a newbie in the Ubuntu development world (still working on getting official Lubuntu and Ubuntu membership) so this might be silly.