From Fedora Project Wiki
Line 128: Line 128:
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed)
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed)
  
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Policies and guidelines:
 
No policy or guidelines updates necessary.
 
No policy or guidelines updates necessary.
  

Revision as of 11:41, 6 November 2020

Qtwebkit removal

Summary

Qtwebkit (qt4 era package) is dead upstream, and has hundreds of known CVEs. Also, it requires qt-location, which does not build against current proj versions. It's time to remove qtwebkit from the distribution. See also #1711519

Owner

Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-11-06
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Here is a current list of packages depending on qtwebkit, and the relative proposals of how to deal with them:

  • amarok-0:2.9.0-9.fc33.x86_64
 => Musicplayer. Switch to a current git master snapshot, which is KF5 based (https://invent.kde.org/multimedia/amarok)
  • arora-0:0.11.0-23.fc33.x86_64
 => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit.
  • brewtarget-0:2.1.0-16.fc33.x86_64
 => Upgrade to 2.3.0 release which supports Qt5 
  • gambas3-gb-qt4-webkit-0:3.15.2-1.fc34.x86_64
 => Drop subpackage
  • kde-runtime-libs-0:17.08.3-15.fc33.x86_64
 => Can be compiled without kdelibs-webkit support
  • kdelibs-webkit-6:4.14.38-23.fc34.x86_64
 => Drop subpackage
  • knode-libs-0:4.14.10-44.fc33.x86_64
 => Required by knode, an newsreading application, part of kdepim4. Retire kdepim4.
  • krecipes-0:2.1.0-12.fc33.x86_64
 => Recipies applicaiton, dead upstream. Retire.
  • ksysguard-libs-1:4.11.22-28.fc33.x86_64
 => Part of kde-workspace, which can be retired, see below.
  • libkfbapi-0:1.0-16.fc32.x86_64
 => Leaf, retire
  • python3-PyQt4-webkit-0:4.12.3-13.fc33.x86_64
 => Leaf, retire
  • qlandkartegt-0:1.8.1-28.fc33.x86_64
 => Retire
  • qmc2-0:0.195-14.fc34.x86_64
 => Latest trunk supports Qt5
  • qt-assistant-1:4.8.7-57.fc34.x86_64
 => Drop subpackae
  • qt-demos-1:4.8.7-57.fc34.x86_64
 => Drop subpackae
  • qt-designer-plugin-webkit-1:4.8.7-57.fc34.x86_64
 => Drop subpackae
  • qt-examples-1:4.8.7-57.fc34.x86_64
 => Drop subpackae
  • qt4pas-0:2.5-21.fc33.x86_64
 => Leaf, retire
  • qtscriptbindings-0:0.2.0-23.fc33.x86_64
 => Part of qtscriptgenerator, Only required by amarok. Retire.
  • rekonq-0:2.4.2-17.fc33.x86_64
 => Browser. Retire, no-one should be using this considering the CVEs in qtwebkit.
  • timetablemate-0:0.10-0.24.20111204git.fc32.x86_64
 => Plasma 5 applet, last activity in 2013. Retire.

kde-workspace:

  • kcm_colors-4.11.22-28.fc33.x86_64
 => Obsolete KDE4 desktop component
  • kde-platform-plugin-4.11.22-28.fc33.x86_64
 => Obsolete KDE4 desktop component
  • kde-workspace-devel-4.11.22-28.fc33.x86_64
 => Leaf
  • kdm-4.11.22-28.fc33.x86_64
 => Leaf, obsolete
  • kgreeter-plugins
 => Obsolete KDE4 desktop component
  • ksysguard-libs
 => Only required by kde-workspace-devel
  • ksystraycmd
 => Obsolete KDE4 desktop component
  • libkworkspace
 => Required by kwooty "Kwooty is a NZB usenet binary download application for KDE 4", which is dead since 2018.

Feedback

Benefit to Fedora

Removal obsolete and insecure packages

Scope

  • Proposal owners:

The following packages will be updated:

  • amarok: latest git
  • brewtarget: 2.3.0
  • qmc2: latest trunk

The following packages will be retired:

  • arora
  • kdepim4
  • krecipes
  • libkfbapi
  • qlandkartegt
  • qt4pas
  • qtscriptgenerator
  • rekonq
  • timetablemate

The following subpackages will be removed, and added to fedora-obsolete-packages:

  • gambas3-gb-qt4-webkit
  • kdelibs-webkit
  • qt-assistant
  • qt-demos
  • qt-designer-plugin-webkit
  • qt-examples
  • Other developers:

No work should be needed from other developers.

  • Policies and guidelines:

No policy or guidelines updates necessary.

Upgrade/compatibility impact

Retired subpackages will be obsoleted by fedora-obsolete-packages. Others will remain as leafs.

How To Test

Nothing to test really, packages will just disappear.

User Experience

Some old applications will disappear.

Dependencies

See above.

Contingency Plan

None.

Release Notes

Fedora 34 will drop the unmaintained and insecure qtwebkit package.