<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thank you Michael,<br>
<br>
I forgot to mention, we are using Webkit2<br>
<br>
For poodle, we do export the environment variable - same entry you
have mentioned. In fact you gave us the string back in November.<br>
This fixed some sites, but broke others. Right now we
enable/disable environment variable based on site. Based on your
comments, this may not help us more in that direction.<br>
<br>
If you still want (as you mentioned on Nov 17th mail on same
list), I can try to get you list of sites where it breaks.<br>
<br>
Regards,<br>
<br>
Niranjan<br>
<br>
On 01/09/2015 07:13 PM, Michael Catanzaro wrote:<br>
</div>
<blockquote cite="mid:1420859634.6322.0@mail.igalia.com" type="cite">On
Fri, Jan 9, 2015 at 7:26 PM, Niranjan Rao <a class="moz-txt-link-rfc2396E" href="mailto:nhrdls@gmail.com"><nhrdls@gmail.com></a>
wrote:<br>
<blockquote type="cite">
<div class="plaintext" style="white-space: pre-wrap;">Greetings,
Right now we are on 2.2.6 version and we are thinking of
upgrading. Most interesting stuff for us is POODLE
vulnerability fix.</div>
</blockquote>
<div><br>
</div>
<div>You can mitigate POODLE without any update by setting an
environment variable before launching the browser:</div>
<div><br>
</div>
<div>export
G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT:%LATEST_RECORD_VERSION:-VERS-SSL3.0</div>
<div><br>
</div>
<div>If you upgrade to 2.4.8 and use the WebKit2 API, you won't
need to do that anymore, but if you use the WebKit1 API, you
must still do that for yourself. For WebKit1 applications,
consider setting it with setenv() on the very first line of
main(). See [1] for more info on this.</div>
<br>
<blockquote type="cite">
<div class="plaintext" style="white-space: pre-wrap;">The site
mentions three versions 2.4.8/2.7.3/2.6.4. Which version
should be use?</div>
</blockquote>
<div><br>
</div>
<div>2.7.3 is the unstable version. You don't want that. The odd
second digit indicates that it's unstable, even indicates
stable.</div>
<div><br>
</div>
<div>2.6.4 is the latest stable version, but 2.4.8 is the last
version with the WebKit1 API. If your application uses WebKit1,
you need to stick with 2.4.x until you have updated it to use
the WebKit2 API. 2.6.x and 2.4.x are parallel-installable for
this reason.</div>
<br>
<blockquote type="cite">
<div class="plaintext" style="white-space: pre-wrap;">We have a
custom extension working for version 2.2.6. Should be expect
any surprises for the extension if we upgrade to newer
version?</div>
</blockquote>
<div><br>
</div>
<div>2.2.x -> 2.4.x should be easy and relatively safe (there
will be the usual mix of bugfixes and new bugs). Both of these
versions include both the WebKit1 and WebKit2 API, to make it
easier to transition. Then you can upgrade to 2.6.x once your
app has been ported to WebKit2 (if it hasn't been already).</div>
<div><br>
</div>
<blockquote type="cite">
<div class="plaintext" style="white-space: pre-wrap;">Right now
we are on Ubuntu 12.04. We did compile/install all the
required dependencies needed for 2.2.6 that were not part of
standard Ubuntu repositories - mostly newer versions of
libraries. Will latest code run Ubuntu 12.04 if we manage to
install dependencies?</div>
</blockquote>
<br>
<div>If you can install all the dependencies, then it will
probably work fine. Good luck.</div>
<div><br>
</div>
<div>Michael</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="https://lists.webkit.org/pipermail/webkit-gtk/2014-October/002110.html">https://lists.webkit.org/pipermail/webkit-gtk/2014-October/002110.html</a></div>
</blockquote>
<br>
</body>
</html>