I'm not sure why the 2.10 branch serves as the default, with such a bad track record that it was stricken from the logs, but 2.10.4 as found in _default.nix_ had some security issues that were addressed later in the branch:
=================
WebKitGTK+ 2.10.9
=================
What's new in WebKitGTK+ 2.10.9?
- Revert the patch to limit the number of tiles according to the visible area introduced in 2.10.8,
because it caused rendering issues in several popular websites.
- Fix the build with musl libc library.
- Fix the build with clang-3.8.
=================
WebKitGTK+ 2.10.8
=================
What's new in WebKitGTK+ 2.10.8?
- Limit the number of tiles according to the visible area. This was causing a huge memory
consumption with some websites.
- Fix flickering and rendering artifacts when entering accelerated compositing mode
before the web view is realized.
- Fix rendering of form controls and scrollbars with GTK+ >= 3.19.
- Fix HTTP authentication dialog rendering when accelerated compositing mode is enabled.
- Fix rendering artifacts when using a web view background color.
- Fix a crash when creating a WebKitWebView without providing a WebKitWebContext.
- Fix several crashes and rendering issues.
- Security fixes: CVE-2016-1726.
=================
WebKitGTK+ 2.10.7
=================
What's new in WebKitGTK+ 2.10.6?
- Fix the build with GTK+ < 3.16.
=================
WebKitGTK+ 2.10.6
=================
What's new in WebKitGTK+ 2.10.6?
- Fix a deadlock in the Web Process when JavaScript garbage collector was running for a web worker
thread that made google maps to hang.
- Fix media controls displaying without controls attribute.
- Fix a Web Process crash when quickly attempting many DnD operations.
=================
WebKitGTK+ 2.10.5
=================
What's new in WebKitGTK+ 2.10.5?
- Disable DNS prefetch when a proxy is configured.
- Reduce the maximum simultaneous network connections to match other browsers.
- Make WebKitWebView always propagate motion-notify-event signal.
- Add a way to force accelerating compositing mode at runtime using an environment variable.
- Fix input elements and scrollbars rendering with GTK+ 3.19.
- Fix rendering of lines when using solid colors.
- Fix UI process crashes related to not having a main resource response when the load is
committed for pages restored from the history cache.
- Fix a WebProcess crash when loading large contents with custom URI schemes API.
- Fix a crash in the UI process when the WebView is destroyed while the screensaver DBus proxy
is being created.
- Fix WebProcess crashes due to BadDrawable X errors in accelerated compositing mode.
- Fix crashes on PPC64 due to mprotect() on address not aligned to the page size.
- Fix std::bad_function_call exception raised in dispatchDecidePolicyForNavigationAction.
- Fix downloads of data URLs.
- Fix runtime critical warnings when closing a page containing windowed plugins.
- Fix several crashes and rendering issues.
- Translation updates: French, German, Italian, Turkish.
- Security fixes: CVE-2015-7096, CVE-2015-7098.
Again, I'm not sure why it's in the _default.nix_, but maybe it's possible to at least update it to 2.10.9? Maybe even move the default namespace to the 2.12 stable branch?
Thanks
RamKromberg
All 11 comments
Agreed.
cc maintainer @k0ral
joachifm
on 28 Jul 2016
One problem with webkitgtk is that it's a huge build with quite a few reverse dependencies, some of which are also huge builds, so it's too much work for a single person and possibly makes people hesistant to contribute.
joachifm
on 28 Jul 2016
One problem with webkitgtk is that it's a huge build
Took my poor Q6600 potato 2hours of 99% cpu usage just to go through 15%... At that point I Ctrl+C and wrote this issue. :/
If you look at the midori package, you'll note I've changed the webkit flag to off since I just couldn't bring myself to go through it all...
RamKromberg
on 28 Jul 2016
It's not reasonable to ask people to go through that ... For webkitgtk to be somewhat maintainable, I think we just need to agree that releases that claim no api breaking changes can be pushed untested. For potential api breakage, we need a dedicated Hydra job that can test the build for us. Given webkitgtk's track record, not staying on upstream's recommended release version is just asking for a security disaster.
I think we also need to seriously consider what to do about stuff that still relies on webkitgtk 2.4.
joachifm
on 28 Jul 2016
Edit REWRITE.
The problem is that if we were to follow https://webkitgtk.org/reference/webkit2gtk/stable/api-index-deprecated.html, we'll need to maintain:
- 2.6 (https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#WebKitNavigationPolicyDecision--modifiers , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#WebKitNavigationPolicyDecision--mouse-button , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#WebKitNavigationPolicyDecision--navigation-type , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#WebKitNavigationPolicyDecision--request , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#webkit-navigation-policy-decision-get-modifiers , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#webkit-navigation-policy-decision-get-mouse-button , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#webkit-navigation-policy-decision-get-navigation-type , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitNavigationPolicyDecision.html#webkit-navigation-policy-decision-get-request)
- 2.10 (https://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebContext.html#WebKitWebContext--local-storage-directory , https://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebContext.html#webkit-web-context-set-disk-cache-directory)
- 2.12 (current stable)
And that still won't account for security issues. Just API changes.
As for the 2.4, Fedora (https://apps.fedoraproject.org/packages/webkitgtk/builds) and Ubuntu (https://launchpad.net/ubuntu/+source/webkitgtk) are still packaging and patching it so we could technically keep it up...
So, looking at potentially 4 branches of such a huge package, I say, dump it all and leave just 2.12. Upstream already deleted references to the 2.10 security issues from their logs... Whose to say anything other then what they consider stable isn't vulnerable?
If packages can't keep up with upstream stable branch all the way back to 2.4, I say, drop them.
RamKromberg
on 28 Jul 2016
@RamKromberg I pretty much agree. Keep 2.4 (or whichever is the latest version still supporting WebKit1) around for stuff that only uses it to render local content (and cannot use more recent webkit AND is too important to mark as broken), but otherwise always track upstream's recommended version (or pay close attention to their security advisories and bump versions accordingly).
If you care to, please go ahead with your plan.
joachifm
on 31 Jul 2016
@joachifm I'm stuck compiling. 12hours and still under 50% just for webkit... Then I'll need to test out the different packages that depend on it...
I think someone with the hydra know-how and privileges is necessary here. At least I got Midori and libsoup ready so they won't hold it back :D
RamKromberg
on 31 Jul 2016
I'll try to make things move forward, one step at a time:
- upgrade from 2.10.4 to 2.10.9 (build ongoing on my side)
- have
webkitgtkderivation point to 2.12 branch (and update all reverse-dependencies adequately)
k0ral
on 2 Aug 2016
@k0ral thanks :)
RamKromberg
on 3 Aug 2016
Resolved by https://github.com/NixOS/nixpkgs/pull/17492 Thanks!
joachifm
on 5 Aug 2016
thanks :)
RamKromberg
on 5 Aug 2016
Related issues
matthiasbeyer
路
3Comments
retrry
路
3Comments
tomberek
路
3Comments
vaibhavsagar
路
3Comments
domenkozar
路
3Comments
Most helpful comment
I'll try to make things move forward, one step at a time:
webkitgtkderivation point to 2.12 branch (and update all reverse-dependencies adequately)