[kdelibs] Make Qt4 WebKit optional (default on)

Review Request #129233 - Created Oct. 20, 2016 and updated

Information
Andreas Sturmlechner
kdelibs
master
95ac364...
Reviewers
kdelibs

Provide a switch for distributions to disable build of kdewebkit and
kdewebkit-widgets, to support efforts on getting rid of Qt4 WebKit.

The implications of this for KDE Applications packages are, at this
point (16.12.0), negligible:

kde-runtime/drkonqi
kde-runtime/kioslave (htmlthumbnail, removable with little effort, probably no reverse dep left)
kde-runtime/plasma (no reverse deps left)
pykde4 (with rdep: kajongg)


  
Martin Flöser
Andreas Sturmlechner
Review request changed

Change Summary:

kqtquickcharts and ktouch are ported in 16.12, which makes this release almost independent of Qt4WebKit. Any other opinions? Otherwise this remains @downstream only.

Description:

   

Provide a switch for distributions to disable build of kdewebkit and

    kdewebkit-widgets, to support efforts on getting rid of Qt4 WebKit.

   
   

The implications of this for KDE Applications packages are, at this

~   point, negligible:

  ~ point (16.12.0), negligible:

   
   

kde-runtime/drkonqi

~   kde-runtime/kioslave (htmlthumbnail, removable with little effort)
~   kde-runtime/plasma (with rdeps: kqtquickcharts, ktouch)
  ~ kde-runtime/kioslave (htmlthumbnail, removable with little effort, probably no reverse dep left)
  ~ kde-runtime/plasma (no reverse deps left)
    pykde4 (with rdep: kajongg)

-  
-  

The following two listed for completeness, even if not part of

-   current KDE Applications releases anymore:
-   kdepim-4
-   marble-4

Albert Astals Cid

I honestly can't see how this would count as "bugfix".

  1. I see it as a security fix, considering that even Qt5Webkit is probably affected by a three digit number of security issues in its old Webkit and that Qt4Webkit is even based on an older version of Webkit. Especially with the above mentioned htmlthumbnailer the attack surface is possible rather huge and in addition not even that obvious to the unsuspecting user.
    
    Anyway I have applied this downstream and kicked out htmlthumbnailer from kde-runtime.
  2. One last ping before close - we've been applying this downstream since 4.14.22 without issues (in fact people have had it enabled or disabled via use flag depending on their setups and provided valuable testing), and not a single bug was raised. Obviously with this flag it is the job of the packagers to determine if they have any qtwebkit reverse-dependencies left, but by default nothing changes.

  3. The "bugfix only" policy is intended to give some improved guarantees that upgrades won't break existing software.  But since we've had packagers already testing this patch for a year now, I think the patch has received more than enough testing to make us able to worry less about breaking user systems.
    
    On top of the potential reduction in attack surface made possible by this restructuring, I think it is in our users' best interest to apply the patch.
    
    +1 from me.
Loading...