Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Sep 2022 22:31:16 +0200
From: Carlos Alberto Lopez Perez <>
 Demi Marie Obenour <>,
 John Helmert III <>
Subject: Re: WebKitGTK and WPE WebKit Security Advisory

On 29/08/2022 20:03, Demi Marie Obenour wrote:
>> We (maintainers of Linux WebKit ports) don't have access to the security
>> issues affecting Apple products until those issues are made public by them.
> That is unfortunate.  I thought you would have access to embargoed
> bugzilla tickets.

We do have access to the tickets on WebKit bugzilla that are marked as
security-related and are hidden from other users by default.

However, we don't receive the information about which WebKit fixes will
be included in any Apple security update until those advisories are public.

>> So, we didn't knew until August 17th of this issue. Also you can see
>> that the bug report itself or the patch doesn't has any indication that
>> it fixes a security-related problem.
>> Therefore, the time it took us to notice the issue, backport the fix and
>> do a new release was just 7-8 days (from 17th to 24-25th of August).
>> Which, honestely, it is quite good taking into account that: 1)
>> back-porting the fix was not straightforward since it required
>> back-porting also a few previous patches in order to be able to merge it
>> properly and that 2) we are in August and people is usually on holidays.
> Was backporting needed, as opposed to shipping a new minor version?

It was. Fixes land in the master (main) branch. Those fixes don't
necessarely apply or work on the branch of the last webkitgtk-stable branch.

A new webkitgtk/stable branch is forked from master (main) each 6
months, and once forked it receives cherry-picks from the main branch,
but it is never rebased.

We release a new major stable version each 6 months (2.XX), and then we
backport fixes doing minor relases (2.XX.A) for 6 months until the next
major relaseis out (2.XY).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.