[SRU] please remove libqt5webkit dependency

Bug #1547647 reported by Nik Soams on 2016-02-19
This bug affects 2 people
Affects Status Importance Assigned to Milestone
signon-ui (Ubuntu)
Alberto Mardegan
Alberto Mardegan
Alberto Mardegan

Bug Description

This is an SRU request, based on the process documented at https://wiki.ubuntu.com/StableReleaseUpdates


 * When declaring online accounts for use by Ubuntu, the system uses a webview to authenticate to online services like Facebook or Google.

 * On X11 desktops, that webview currently uses an old qt5webkit component that is now unmaintained

 * Backporting this fix will simplify the maintenance work, by removing the need for that old component, and will improve the coherence of the system by using a supported Oxide webview

[Test Case]

To verify the change:

 * Go to system settings > Online Accounts
 * Add account of type Google, Facebook or Twitter (which uses webview for authentication)
 * Verify that a webview opens to log onto the online service
 * Verify that the account is listed in the account list at the end of this process
 * Verify that the related apps and services can use the online account as before (ie Shotwell photo uploads, Photos scope, etc.)

[Regression Potential]

 * On architectures not supported by Oxide, namely ppc64el and s390x, the change will trigger a runtime error when trying to use that part of signon-ui.

 * The problem affects users of Ubuntu desktop systems based on X11. The change is already in effect on Unity8/Mir devices for a few months.

[Other Info]

 * signon-ui-x11(http://packages.ubuntu.com/xenial/signon-ui-x11) depends on libqt5webkit5

 * See also: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

Related branches

Nik Soams (fuj63904) on 2016-02-19
summary: - Build without libqt5webkit dependancy
+ CRITICAL: please remove libqt5webkit dependancy

I've spent some time investigating the possibility of replacing QtWebkit with the Ubuntu.Web module (which internally uses Oxide), but the task looks far from trivial, and we should consider whether the request is worth the effort.
There are also two points to consider:
1) While indeed Oxide would be the safest bet from a security point of view, we use this webview for showing service login portals, which typically are safe to browse as they don't include third party content where malicious code could reside.
2) Oxide only works in x86-64, i386 and armhf architectures

Summing up, while I think we should be definitely moving towards the goal of not using QtWebkit1, I don't see a critical urgency of doing this for the LTS. So I'll be working on this bug as time permits, unless of course more reasons for the urgency are given.

Changed in signon-ui (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Changed in canonical-devices-system-image:
status: New → Confirmed
no longer affects: canonical-devices-system-image
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-ui - 0.17+16.04.20160406-0ubuntu1

signon-ui (0.17+16.04.20160406-0ubuntu1) xenial; urgency=medium

  [ Alberto Mardegan ]
  * Update Ubuntu.Web backend, make it the default on Unity (LP:

 -- David Barth <email address hidden> Wed, 06 Apr 2016 09:17:36 +0000

Changed in signon-ui (Ubuntu):
status: Confirmed → Fix Released
tags: added: xenial
Will Cooke (willcooke) on 2016-06-29
Changed in signon-ui (Ubuntu):
milestone: none → ubuntu-16.04.1
Will Cooke (willcooke) on 2016-06-29
Changed in signon-ui (Ubuntu Xenial):
milestone: none → ubuntu-16.04.1
Changed in signon-ui (Ubuntu Yakkety):
milestone: ubuntu-16.04.1 → none
Will Cooke (willcooke) on 2016-06-30
Changed in signon-ui (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-ui (Ubuntu Yakkety):
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-ui (Ubuntu Xenial):
importance: Undecided → Medium
David Barth (dbarth) on 2016-06-30
description: updated
description: updated
summary: - CRITICAL: please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependancy
summary: - [SRU] please remove libqt5webkit dependancy
+ [SRU] please remove libqt5webkit dependency
Amr Ibrahim (amribrahim1987) wrote :


David Barth (dbarth) wrote :

Confirmed to work on Xenial.

Hello Nik, or anyone else affected,

Accepted signon-ui into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/signon-ui/0.17+16.04.20170116-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in signon-ui (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for xenial for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Amr Ibrahim (amribrahim1987) wrote :

I installed signon-ui from xenial-proposed. I get this crash LP: #1703088 after I add my Google account in UOA. It could be a regression. The Google account is added fine.

Steve Langasek (vorlon) wrote :

Marking verification-failed based on LP: #1703088. If this should turn out not to be a regression, please reset the tag.

However, this package is also a candidate for removal from -proposed due to its lack of verification after 4 months. If someone is interested in seeing this SRU released, the verification should also be completed.

tags: added: verification-failed-trusty
removed: verification-needed

The version of signon-ui in the proposed pocket of Xenial that was purported to fix this bug report has been removed because the bugs that were to be fixed by the upload were not verified in a timely (105 days) fashion.

Changed in signon-ui (Ubuntu Xenial):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers