[webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
不会弹吉他的KK
kai.7.kang at gmail.com
Sun Mar 26 23:17:19 PDT 2023
On Wed, Mar 22, 2023 at 7:01 PM Michael Catanzaro <mcatanzaro at redhat.com>
wrote:
> On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro
> <aperez at igalia.com> wrote:
> > Recently advisories published by Apple include the Bugzilla issue
> > numbers
> > (e.g. [1]), so with some work you can find out which commits
> > correspond to
> > the fixes.
>
> It finally occurs to me that since Apple now publishes the bug
> information, we could start publishing revision information. We'd want
> to fix [1] first.
>
Hi Adrián and Michael,
Thanks. I'll try to do more search for the existing CVEs.
> > WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely
> > update
> > without needing to change applications. In general, we always keep
> > the API and
> > ABI backwards compatible.
>
> For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as
> well and that will remain true indefinitely, as long as you continue to
> build the same API version [2]. Adrian might be planning one last
> 2.38.x release, but it's really time to move on to 2.40.
>
> On rare occasions, an upgrade might affect the behavior of particular
> API functionality within the same API version, but this is unusual and
> is avoided whenever possible. I don't think any APIs broke between 2.36
> and 2.40, so that shouldn't be a problem for you this time. The goal is
> for upgrades to be as safe as possible.
>
Great. Your comments will be powerful evidence to upgrade webkitgtk on
Yocto lts release.
Thanks a lot.
Kai
> Michael
>
> [1] https://bugs.webkit.org/show_bug.cgi?id=249672
> [2]
>
> https://blogs.gnome.org/mcatanzaro/2023/03/21/webkitgtk-api-for-gtk-4-is-now-stable/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20230327/81f1d3e7/attachment.htm>
More information about the webkit-gtk
mailing list