Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008

[Carlos Alberto Lopez Perez <clopez () igalia com>]

On 29/08/2022 20:03, Demi Marie Obenour wrote:
> > We (maintainers of Linux WebKit ports) don't have access to the security
> > issues affecting Apple products until those issues are made public by them.
> That is unfortunate.  I thought you would have access to embargoed
> bugzilla tickets.

We do have access to the tickets on WebKit bugzilla that are marked as
security-related and are hidden from other users by default.

However, we don't receive the information about which WebKit fixes will
be included in any Apple security update until those advisories are public.


> > So, we didn't knew until August 17th of this issue. Also you can see
> > that the bug report itself or the patch doesn't has any indication that
> > it fixes a security-related problem.
> >
> > Therefore, the time it took us to notice the issue, backport the fix and
> > do a new release was just 7-8 days (from 17th to 24-25th of August).
> > Which, honestely, it is quite good taking into account that: 1)
> > back-porting the fix was not straightforward since it required
> > back-porting also a few previous patches in order to be able to merge it
> > properly and that 2) we are in August and people is usually on holidays.
> Was backporting needed, as opposed to shipping a new minor version?

It was. Fixes land in the master (main) branch. Those fixes don't
necessarely apply or work on the branch of the last webkitgtk-stable branch.

A new webkitgtk/stable branch is forked from master (main) each 6
months, and once forked it receives cherry-picks from the main branch,
but it is never rebased.

We release a new major stable version each 6 months (2.XX), and then we
backport fixes doing minor relases (2.XX.A) for 6 months until the next
major relaseis out (2.XY).

See:
https://trac.webkit.org/wiki/WebKitGTK/StableRelease
https://trac.webkit.org/wiki/WebKitGTK/2.36.x