SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slackware/Salix while testing others
Posts: 1,718
Rep:
webkitgtk flawed
Quote:
The WebKit rendering engine used in many Linux applications is a complete security mess. That’s the takeaway from a blog post by Michael Catanzaro, who works on GNOME’s WebKitGTK+ project. He’s sounding the alarm about a problem the open-source community needs to fix.
Well, I'd like to update webkitgtk to the latest version very often.
Last I checked, it always required a ridiculous amount of very recent system libraries, though. I'm not up for rebuilding Slackware from the ground up to get an up-to-date webkitgtk.
Edit: I've changed the 2.4.9 SlackBuild for webkitgtk 2.10.7 like this and it at least starts to build this time:
webkitgtk 2.10 utilize a different API compared to previous 2.4.9 and both can be co-installable on one system
in SBo we have 3 different webkit: webkitgtk (use GTK2), webkitgtk3 (use GTK3), and webkit2gtk (use API2)
see here: https://slackbuilds.org/cgit/slackbu...p&q=webkit2gtk
But I guess this means that Banshee is stuck on 2.4.x and since development has stalled over the last year, it might be time to switch to a different media management program...
Remember that ..WebKitGTK+ 2.4.9 was released upstream over eight months ago... It’s worth mentioning that 2.4.9 contains the fix for that serious networking backend issue .. mentioned earlier (CVE-2015-2330).
@schmatzler:
Quote:
Banshee is stuck on 2.4.x
SlackBuilds is on 2.4.9, thus in that respect, if you have followed SBo updates on your box, one hole should be plugged.....
Back to the blog: Major problems are with KDE-applications that rely on QtWebkit:
Quote:
There’s not much hope left for QtWebKit; these applications have hundreds of known vulnerabilities that will never be fixed. Applications should port to QtWebEngine, but for many applications this may not be easy or even possible... There is some effort to update QtWebKit.[If it] make its way into upstream Qt, this problem could be solved.
Upgrading of applications to the API2 version is also discussed...
Quote:
While upgrading to the WebKit2 API will be easy for most applications .., for many others it will be a significant challenge.... like GIMP and Geany that are stuck on GTK+ 2. They first have to upgrade to GTK+ 3 before they can consider upgrading to modern WebKitGTK+. GIMP is working on a GTK+ 3 port anyway (GIMP uses WebKitGTK+ for its help browser), but many applications like Geany (the IDE ..) are content to remain on GTK+ 2 forever.
But the problem remains:
Quote:
WebKitGTK+ 2.4 has not had any updates since last May, and the last real comprehensive security update was over one year ago. Since then, almost 130 vulnerabilities have been fixed in newer versions of WebKitGTK+.
and might not go away:
Quote:
How do we fix this? Well, for applications using modern WebKitGTK+, .. distributions .. have to start taking our security updates.
For applications stuck on WebKitGTK+ 2.4:
[Do not reckon on] security backports to WebKitGTK+ 2.4.
Major distributions could remove the old WebKitGTK+ compatibility packages. That will force applications to upgrade, but many will not have the manpower to do so: good applications will be lost. This is probably the only realistic way to fix the security problem, but it’s a very unfortunate one. (But don’t forget about QtWebKit. QtWebKit is based on an even older version of WebKit than WebKitGTK+ 2.4. It doesn’t make much sense to allow one insecure version of WebKit but not another.)
Or, a far more likely possibility: we could do nothing, and keep using insecure software.
I was able to build WebKitGTK 2.10.7 on a Ubuntu 14.04 Trusty base. JULinux 10 which has been elevated to my primary distro and uses this base includes Midori as one of three browsers. Midori on Ubuntu uses the older 2.4.x WebKitGTK base. I did compile Midori against the new WebKit but had a bad memory leak issue which caused the memory to become full and, I also had a problem with it crashing when I backspaced in the address bar. And, with any Epiphany version older than 3.14.x not building against WebKitGTK 2.10.x, and the newest Epiphany version on the Trusty base being 3.12 it's too risky to try and build Epiphany 3.14 on the Trusty base outside of a fake root. Slackware users would only run Epiphany if they have Dropline GNOME which does have a 3.14 version for Slackware 14.1. The only other browsers I know of that run WebKit2GTK are minimalist browsers which do not have bookmarks. The following is a screenshot on which I have the Lariza Browser which runs WebKit2 on the left and Midori with WebKit1 on the right both with html5test.com.
I usually browse with Pale Moon which has many security updates having recently switched from SeaMonkey as my main browser. I have FossaMail as my email client which is a fork of Thunderbird put out by the same group as Pale Moon.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.