[webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
Michael Catanzaro
mcatanzaro at redhat.com
Wed Mar 22 04:00:55 PDT 2023
On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro
<aperez at igalia.com> wrote:
> Recently advisories published by Apple include the Bugzilla issue
> numbers
> (e.g. [1]), so with some work you can find out which commits
> correspond to
> the fixes.
It finally occurs to me that since Apple now publishes the bug
information, we could start publishing revision information. We'd want
to fix [1] first.
> WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely
> update
> without needing to change applications. In general, we always keep
> the API and
> ABI backwards compatible.
For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as
well and that will remain true indefinitely, as long as you continue to
build the same API version [2]. Adrian might be planning one last
2.38.x release, but it's really time to move on to 2.40.
On rare occasions, an upgrade might affect the behavior of particular
API functionality within the same API version, but this is unusual and
is avoided whenever possible. I don't think any APIs broke between 2.36
and 2.40, so that shouldn't be a problem for you this time. The goal is
for upgrades to be as safe as possible.
Michael
[1] https://bugs.webkit.org/show_bug.cgi?id=249672
[2]
https://blogs.gnome.org/mcatanzaro/2023/03/21/webkitgtk-api-for-gtk-4-is-now-stable/
More information about the webkit-gtk
mailing list