Nixpkgs: Get rid of webkitgtk24

Created on 5 Sep 2016  路  20Comments  路  Source: NixOS/nixpkgs

It can not be built in parallel so it takes 6+ hours to build, sometimes even 9h.

$ git grep webkitgtk24
pkgs/applications/editors/emacs-25/default.nix:, withXwidgets ? false, webkitgtk24x ? null, wrapGAppsHook ? null, glib_networking ? null
pkgs/applications/editors/emacs-25/default.nix:assert withXwidgets -> withGTK3 && webkitgtk24x != null;
pkgs/applications/editors/emacs-25/default.nix:    ++ stdenv.lib.optionals withXwidgets [webkitgtk24x wrapGAppsHook glib_networking];
pkgs/desktops/gnome-3/3.20/default.nix:  inherit (pkgs) glib gtk2 webkitgtk24x webkitgtk212x gtk3 gtkmm3 libcanberra;
pkgs/desktops/gnome-3/3.20/default.nix:  #   webkitgtk = webkitgtk24x;
pkgs/desktops/gnome-3/3.20/default.nix:    webkitgtk = webkitgtk24x;
pkgs/desktops/gnome-3/3.20/default.nix:    webkitgtk = webkitgtk24x;
pkgs/desktops/gnome-3/3.20/default.nix:    webkitgtk = webkitgtk24x;
pkgs/desktops/gnome-3/3.20/default.nix:    webkitgtk = webkitgtk24x;
pkgs/development/haskell-modules/configuration-common.nix:  webkitgtk3 = super.webkitgtk3.override { webkit = pkgs.webkitgtk24x; };
pkgs/development/haskell-modules/configuration-common.nix:  webkitgtk3-javascriptcore = super.webkitgtk3-javascriptcore.override { webkit = pkgs.webkitgtk24x; };
pkgs/development/haskell-modules/configuration-common.nix:  websnap = super.websnap.override { webkit = pkgs.webkitgtk24x; };
pkgs/tools/networking/mu/default.nix:, gtk3, webkitgtk24x, libsoup, icu }:
pkgs/tools/networking/mu/default.nix:    gtk3 webkitgtk24x ];
pkgs/top-level/all-packages.nix:  webkitgtk24x = callPackage ../development/libraries/webkitgtk/2.4.nix {
pkgs/top-level/all-packages.nix:  webkitgtk2 = webkitgtk24x.override {
pkgs/top-level/all-packages.nix:    webkitgtk = webkitgtk24x;
pkgs/top-level/all-packages.nix:    webkitgtk = webkitgtk24x;

cc @lethalman @DamienCassou

security
Source
picture domenkozar
👍5

Most helpful comment

With @joachifm's PR merged, it isn't _removed_ but it is disabled by default.

picture grahamc on 27 Feb 2017
🎉2

All 20 comments

@gebner could we bump webkitgtk version for mu? See ad41b8fa197cbab795ea01ca7becf6548391ef5c

domenkozar picture domenkozar on 5 Sep 2016

http://hydra.nixos.org/jobset/nixos/issue-18312-webkitgtk24-removal

domenkozar picture domenkozar on 5 Sep 2016

http://hydra.nixos.org/eval/1290929?compare=release-16.09

domenkozar picture domenkozar on 5 Sep 2016

Packages that need the old api should probably be just migrated to webkit 2.10

domenkozar picture domenkozar on 5 Sep 2016

Is webkitgtk210x the new version with the old API? I just tried to build mu against it, but apparently we don't build webkitgtk210x on hydra. Is there a reason for hydra not building it?

gebner picture gebner on 5 Sep 2016

@gebner No. There's no one "old api". We've covered this all in https://github.com/NixOS/nixpkgs/issues/17308 but essentially there were 4 API deprecations resulting in 4 distinct branches: 2.4, 2.6, 2.10 & 2.12.

In fact, upstream doesn't support 2.4, 2.6 & 2.10 and considers 2.12 the stable branch. Worse, the 2.10 branch had consecutive security issues and ended up getting stricken off the change-logs as if it was some development unstable branch...

RamKromberg picture RamKromberg on 6 Sep 2016

I was hoping we could remove webkitgtk for gnome 3.22, but it turns out, it's still needed...
https://bugs.launchpad.net/ubuntu/+source/bijiben/+bug/1588150
For us this affects bijiben and geary :disappointed:

groxxda picture groxxda on 29 Sep 2016
😕1

More uses:

git grep 'webkitgtk2[^41]'
pkgs/applications/audio/guitarix/default.nix:, webkitgtk2, wrapGAppsHook, zita-convolver, zita-resampler
pkgs/applications/audio/guitarix/default.nix:    libsndfile lilv lv2 serd sord sratom webkitgtk2 zita-convolver
pkgs/applications/editors/eclipse/build-eclipse.nix:{ stdenv, makeDesktopItem, freetype, fontconfig, libX11, libXrender, zlib, jdk, glib, gtk2, libXtst, webkitgtk2, makeWrapper, ... }:
pkgs/applications/editors/eclipse/build-eclipse.nix:      --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath ([ glib gtk2 libXtst ] ++ stdenv.lib.optional (webkitgtk2 != null) webkitgtk2)} \
pkgs/applications/editors/eclipse/default.nix:, webkitgtk2 ? null  # for internal web browser
pkgs/applications/networking/browsers/dwb/default.nix:{ stdenv, fetchgit, pkgconfig, makeWrapper, libsoup, webkitgtk2, gtk2, gnutls
pkgs/applications/networking/browsers/dwb/default.nix:    webkitgtk2 gtk2 gnutls json_c m4 ];
pkgs/applications/networking/mailreaders/claws-mail/default.nix:    ++ optional enablePluginFancy webkitgtk2;
pkgs/applications/office/osmo/default.nix:, libarchive, gtkspell2, webkitgtk2, libgringotts }:
pkgs/applications/office/osmo/default.nix:    gtkspell2 webkitgtk2 libgringotts ];
pkgs/applications/video/miro/default.nix:, pythonPackages, pyrex096, ffmpeg, boost, glib, gtk2, webkitgtk2, libsoup
pkgs/applications/video/miro/default.nix:    pkgconfig pyrex096 ffmpeg boost glib gtk2 webkitgtk2 libsoup
pkgs/development/haskell-modules/configuration-common.nix:  webkit = super.webkit.override { webkit = pkgs.webkitgtk2; };
pkgs/top-level/all-packages.nix:  webkitgtk2 = webkitgtk24x.override {
pkgs/top-level/all-packages.nix:    webkit = webkitgtk2;
pkgs/top-level/all-packages.nix:      webkit = webkitgtk2;
pkgs/top-level/all-packages.nix:    webkit = webkitgtk2;
pkgs/top-level/all-packages.nix:    webkit = webkitgtk2;
pkgs/top-level/all-packages.nix:    webkitgtk = webkitgtk2;
pkgs/top-level/all-packages.nix:    webkit = webkitgtk2;
pkgs/top-level/all-packages.nix:    webkit = webkitgtk2;
pkgs/top-level/python-packages.nix:      pkgs.libxslt pkgs.libsoup pkgs.webkitgtk2 pkgs.icu
groxxda picture groxxda on 29 Sep 2016

How are these projects still using such an old dependency?

grahamc picture grahamc on 22 Oct 2016

I think it's mainly upstream not adding support; I've got no idea why that goes so slowly. As a consequence, e.g. the latest Debian (unstable) still defaults to 2.4.x, and even same in Arch.

vcunat picture vcunat on 22 Oct 2016

https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/

domenkozar picture domenkozar on 9 Feb 2017

List of packages still depending on webkitgtk24x (checked if fixed or removed):

  • [ ] gnome3.bijiben
  • [x] gnome3.geary
  • [ ] haskellPackages.webkitgtk3
  • [ ] haskellPackages.webkitgtk3-javascriptcore
  • [ ] haskellPackages.websnap
  • [ ] emacs
  • [ ] astroid (https://github.com/astroidmail/astroid/issues/49)
  • [ ] mu
  • [ ] jumanji
  • [ ] liferea
    (list from @fpletz)
grahamc picture grahamc on 9 Feb 2017

I vote to remove the support and mark packages that have a hard dependency on it as broken. I think emacs xwidget support is a bit of a gimmick so I for one wouldn't consider it a great loss if it had to be disabled.

joachifm picture joachifm on 9 Feb 2017
👍2

emacs 25.2 upgrades wxwidgets to use a recent webkitgtk.

grahamc picture grahamc on 9 Feb 2017

Marking webkitgtk24 itself as broken should be enough. That won't propagate to nix-env -qa normally, but it will throw the message on evaluation.

vcunat picture vcunat on 9 Feb 2017
👍1

There are even more packages on 2.4, since webkitgtk2 is derived from webkitgtk24x:

  • [ ] guitarix
  • [ ] eclipse
  • [ ] dwb
  • [ ] claws-mail
  • [ ] osmo
  • [ ] miro
  • [ ] wxGTK30
  • [ ] pythonPackages.pywebkitgtk
  • [ ] gnucash26
  • [x] luakit
  • [ ] surf
  • [ ] uzbl
  • [ ] xiphos
  • [ ] vimprobable2-unwrapped
  • [ ] vimb-unwrapped
bendlas picture bendlas on 15 Feb 2017

I think emacs xwidget support is a bit of a gimmick so I for one wouldn't consider it a great loss if it had to be disabled.

That. In fact, people over at freenode#emacs were horrified, when I told them the other day, that the xwidget browser thing had javascript support turned on.

bendlas picture bendlas on 15 Feb 2017
😄2

It seems unlikely, for all the mentioned packages to be fixed in time for the upcoming stable. I'd support marking webkitgtk24 as broken. I've been running a patch to do so for 2 master rebuilds now. The kde5 derivation continues to evaluate and for gnome3 I've just had to deactivate an optional package bijiben, see

  • We can continue to allow wkgtk24 for packages after assessing the security risk:

    • [x] guitarix

      Uses its (optional) wkgtk dependecy for a preset downloader. As long as nobody hacks that page, it should be fine.

    • [ ] gnucash26, seems to use wkgtk for help browser and possibly online banking features (i.e. bank-controlled content)

      gnucash probably is too big to fail ;-)

    • [ ] bijiben, if we don't want to drop it from gnome3's optional pacakges @lethalman ?

      It seems to use wkgtk for rendering user generated content (notes)

    • ...

  • We should __not__ continue to allow wkgtk24 for these packages, by default:

    • [x] eclipse

      It's an optional dependency anyway, and it enables an integrated web browser (!)

    • [x] emacs

      see previous message

    • [ ] clawsmail

    • [ ] miro

      Those seem likely to be exposed to uncontrolled content through email / rss

    • ...

bendlas picture bendlas on 24 Feb 2017

With @joachifm's PR merged, it isn't _removed_ but it is disabled by default.

grahamc picture grahamc on 27 Feb 2017
🎉2

Let's close. Webkit 2.4 is unusable unless you explicitly disable security check; that seems fair, and it's up to packages using this to choose (update).

vcunat picture vcunat on 8 Feb 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

7c6f434c picture 7c6f434c  路  66Comments
grahamc picture grahamc  路  77Comments
peti picture peti  路  75Comments
Infinisil picture Infinisil  路  146Comments
ttuegel picture ttuegel  路  98Comments