[webkit-gtk] About the policy of (non) updating minimum build-dependencies

Carlos Garcia Campos cgarcia at igalia.com
Thu Jul 7 23:13:02 PDT 2016 

El mié, 06-07-2016 a las 19:22 +0200, Carlos Alberto Lopez Perez
escribió:
> Hi,
> 
> 
> I think the current policy of not raising the minimum version for
> WebKitGTK+ build-dependencies is perhaps too strict.
> 
> IMHO it don't makes much sense that we continue to support building
> with
> versions of libraries that were deprecated >= 4 years ago (like GTK+
> 3.6). [1]
> 
> Having to support such old version of some libraries makes difficult
> to
> use new features, or causes the code to be full of ifdefs.
> 
> And in a practical sense, I really don't think nobody is using or
> needs
> to use WebKitGTK+ 2.12 with GTK+ 3.6. Anyone?
> 
> I really can't think of any real usage of this.
> 
> So, perhaps we can change that policy to something more practical
> like:
> 
> "WebKitGTK+ has to build both on the last version of Debian stable
> and
> the last version of Ubuntu LTS".

I like this idea, but we should probably consider more distros to be
fair.

> That means that we can raise any build-dependency version to:
> 
> maxVersionDependencyWebKitGTK+ = std::min(DebianStable, UbuntuLTS);
> 
> Both this two distributions are quite conservative in regards to
> raising
> versions of dependency and have a ~2-year release cycle. I think that
> aiming at building in both, is at the same time: conservative enough
> and
> flexible enough.
> 
>  - I think is conservative enough because I don't foresee this could
> cause any problems to any downstream. In the end we are aiming at
> supporting two of the most conservative/stable distributions.
> 
>  - I think this is flexible enough because it allows to raise the
> version of the dependencies each 2 years at least, which allows us to
> use or depend on new features more easily than nowadays.
> 
> 
> For example, nowadays Debian 8 stable has GTK+ 3.14, and Ubuntu 16.04
> LTS has GTK+ 3.18. This means that now we could raise the GTK+
> dependency to 3.14.
> 
> If the next year Debian 9 includes GTK+ 3.22, then we can raise it to
> 3.18 (until Ubuntu 18.04 is released)
> 
> 
> Opinions?

The main problem is the security updates, since you might need to
upgrade to a new major version to get updates, like distros do for the
other browsers. When releasing the security advisories, we could
include the list of commits in the branches that fixed the security
issues included in the report, so that distros could manually bakcport.

> 
> [1] https://trac.webkit.org/wiki/WebKitGTK/Dependencies
> 
> _______________________________________________
> webkit-gtk mailing list
> webkit-gtk at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-gtk
-- 

Carlos Garcia Campos
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20160708/0875d6a3/attachment.sig>

More information about the webkit-gtk mailing list