Samstag, 24. Juni 2017

Improving QtWebKit security for Fedora

The Qt port of the WebKit engine was unmaintained for years, until Konstantin Tokarev (also known as annulen) decided to pick it up in December 2015. Within the last months he did an impressive job on getting QtWebKit up to date again, some days ago he released the second alpha of QtWebKit 5.212.0. As the current state of QtWebkit is really bad in Fedora, we always shipped the latest one from Qt upstream, but they did not do any backports of security fixes from upstream WebKit anymore, the KDE SIG now decided to move to the new community QtWebKit. Qt itself only supports the QtWebEngine based on Chromium, which itself has some issues (hard to maintain as we have to remove codec stuff, always some Chromium releases behind) , but more important: Many applications have not been ported and still use QtWebKit. With Konstantins work on QtWebKit it is possible to use them without all these unfixed security issues again. There are also some reasons to use QtWebKit instead of QtWebEngine, checkout the QtWebKit Wiki.

Within the last two weeks I worked on packaging the new QtWebKit and testing it with several browsers and KDE components to ensure that we do not break the world. So far it looks like new QtWebKit is what it is promised to be: a drop-in replacement for the old one, even without the need to recompile anything. For now our plan to get it in Fedora:

  • Provide a copr for wider testing, already done, checkout
  • Import into Rawhide (done)
  • Update all qt5-qtwebkit packages for Fedora 24+ when some more testing is done, current plan is a 0day update for Fedora 26 (we will not get it in before final freeze) and updates for Fedora 24 and 25 at the same time
Note that I'm talking about the Qt5 version of QtWebKit. There is no upstream support for Qt4 anymore, but it is still in Fedoras repositories. So Qt4 QtWebKit is still without any fixes, I guess we should retire it at some point, in the same way our WebKitGTK+ friends already did.

2 Kommentare:

  1. >decided to pick it up about ten months ago

    Actually, decision was taken a bit earlier, see In August of 2016 TP3 was already released, which was shipped with binary releases Otter Browser :)