Ubuntu
wpewebkit package

Latest patch releases of libwpewebkit-1.0

Asked by glancr team

Hello maintainers,

thank you for importing WPE + related libraries from Debian upstream to the focal repositories, really helps me maintain the wpe-webkit-mir-kiosk snap [1].

The WPE WebKit version in focal repos is still at 2.28.1, while the latest stable release is 2.28.4 [2]. As I understand it, patch updates are alright within a Ubuntu version's packaging policy. Would it be possible to update the package to the latest stable release?

I also filed the same question with:
* libwpebackend-fdo – focal at 1.6.0-1, upstream at 1.6.1
* cog – focal at 0.4.0-2, upstream at 0.6.0 which is also the version recommended by the WPE team for use with WPE 2.28.x [3]

Thanks in advance,
Tobias

[1] https://snapcraft.io/wpe-webkit-mir-kiosk
[2] https://wpewebkit.org/code/
[3] https://wpewebkit.org/release/schedule/

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu wpewebkit Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
glancr team (glancr) said : 		#1

2.28.3 + 2.28.4 also contain quite a few security-related fixes (CVE): https://wpewebkit.org/security/

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

see https://wiki.ubuntu.com/StableReleaseUpdates

Revision history for this message
glancr team (glancr) said : 		#3

Thank you Manfred for the quick response! Apologies if I overlooked something obvious, I'm new to this process: To get the security updates for libwpewebkit into focal repositories, I need to

1) open an issue with the SRU bug template filled out
2) have it reviewed
3) if/when approved, the new version will gradually roll out to the focal-updates pocket?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

Yes, this is correct.

It will depend on the importance of the changes and the severity of the bugs whether the Ubuntu devs will decide to
either package version 2.28.4 in focal-updates
or create a new version in focal-updates (and/or focal-security) that contains only the patches for the severe bugs, but not additional functionality (probably then named something like 2.28.1-1ubuntu1) .

Additional remark:
Canonical is aware of the CVEs, but apparently has not yet completed an in-depth investigation, see https://people.canonical.com/~ubuntu-security/cve/pkg/wpewebkit.html

Can you help with this problem?

Provide an answer of your own, or ask glancr team for more information if necessary.

To post a message you must log in.