[SRU] please remove libqt5webkit dependency

Bug #1547647 reported by Nik Soams on 2016-02-19
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
signon-ui (Ubuntu)
Medium
Alberto Mardegan
Xenial
Medium
Alberto Mardegan
Yakkety
Medium
Alberto Mardegan

Bug Description

This is an SRU request, based on the process documented at https://wiki.ubuntu.com/StableReleaseUpdates

[Impact]

 * When declaring online accounts for use by Ubuntu, the system uses a webview to authenticate to online services like Facebook or Google.

 * On X11 desktops, that webview currently uses an old qt5webkit component that is now unmaintained

 * Backporting this fix will simplify the maintenance work, by removing the need for that old component, and will improve the coherence of the system by using a supported Oxide webview

[Test Case]

To verify the change:

 * Go to system settings > Online Accounts
 * Add account of type Google, Facebook or Twitter (which uses webview for authentication)
 * Verify that a webview opens to log onto the online service
 * Verify that the account is listed in the account list at the end of this process
 * Verify that the related apps and services can use the online account as before (ie Shotwell photo uploads, Photos scope, etc.)

[Regression Potential]

 * On architectures not supported by Oxide, namely ppc64el and s390x, the change will trigger a runtime error when trying to use that part of signon-ui.

 * The problem affects users of Ubuntu desktop systems based on X11. The change is already in effect on Unity8/Mir devices for a few months.

[Other Info]

 * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends on libqt5webkit5

 * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

Related branches

Nik Soams (fuj63904) on 2016-02-19
summary: - Build without libqt5webkit dependancy
+ CRITICAL: please remove libqt5webkit dependancy

I've spent some time investigating the possibility of replacing QtWebkit with the Ubuntu.Web module (which internally uses Oxide), but the task looks far from trivial, and we should consider whether the request is worth the effort.
There are also two points to consider:
1) While indeed Oxide would be the safest bet from a security point of view, we use this webview for showing service login portals, which typically are safe to browse as they don't include third party content where malicious code could reside.
2) Oxide only works in x86-64, i386 and armhf architectures

Summing up, while I think we should be definitely moving towards the goal of not using QtWebkit1, I don't see a critical urgency of doing this for the LTS. So I'll be working on this bug as time permits, unless of course more reasons for the urgency are given.

Changed in signon-ui (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Changed in canonical-devices-system-image:
status: New → Confirmed
no longer affects: canonical-devices-system-image
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-ui - 0.17+16.04.20160406-0ubuntu1

---------------
signon-ui (0.17+16.04.20160406-0ubuntu1) xenial; urgency=medium

  [ Alberto Mardegan ]
  * Update Ubuntu.Web backend, make it the default on Unity (LP:
    #1547647)

 -- David Barth <email address hidden> Wed, 06 Apr 2016 09:17:36 +0000

Changed in signon-ui (Ubuntu):
status: Confirmed → Fix Released
tags: added: xenial
Will Cooke (willcooke) on 2016-06-29
Changed in signon-ui (Ubuntu):
milestone: none → ubuntu-16.04.1
Will Cooke (willcooke) on 2016-06-29
Changed in signon-ui (Ubuntu Xenial):
milestone: none → ubuntu-16.04.1
Changed in signon-ui (Ubuntu Yakkety):
milestone: ubuntu-16.04.1 → none
Will Cooke (willcooke) on 2016-06-30
Changed in signon-ui (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-ui (Ubuntu Yakkety):
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-ui (Ubuntu Xenial):
importance: Undecided → Medium
David Barth (dbarth) on 2016-06-30
description: updated
description: updated
summary: - CRITICAL: please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependancy
summary: - [SRU] please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependency
Amr Ibrahim (amribrahim1987) wrote :

Ping!

David Barth (dbarth) wrote :

Confirmed to work on Xenial.

Hello Nik, or anyone else affected,

Accepted signon-ui into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/signon-ui/0.17+16.04.20170116-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in signon-ui (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers