On WebKit Security Updates

[sambe]

Interesting. I have one major disagreement. This:

"This seems to me like a good reason for application maintainers to carefully test the updates"

Doesn't seem remotely feasible. Every security release should be manually QA'd by the distribution? If they are already worried enough not to take such updates, I doubt they have the manpower to cover everything not covered by integration tests (a lot?).

[greggman]

Well, there are 100s of thousands of tests checked into various repos. WebKit has > 45k tests and there are open test suites for many web apis. Of course it's work to get some testing infrastructure setup but once setup it's mostly automated?

I supposed not, it just adds something else that needs to be maintained :P

[makomk]

One would hope that whoever committed the patches already ran those tests, so the bugs that get through will mostly be ones that the tests couldn't catch - for example, issues with applications that integrate WebKitGTK+ not functioning properly with the new version. Incidentally, GTK+ as a whole has a terrible record when it comes to backwards-compatibility these days.

And as the post makes clear, the security upgrades doesn't even help that much because the original WebKitGTK+ API isn't receiving them anymore and moving to the new API requires massive changes that distros certainly can't ship in an update to a stable release. Apparently they gave applications "a full year to upgrade", which is shorter than the lifespan of distro releases and not realistic given that it requires upgrading to GTK+ 3 and more major changes on top of that. Just the GTK+ 3 switch alone is a multi-year project for complex software, and not helped by the fact they keep breaking their API in new versions. Case in point: https://bugzilla.gnome.org/show_bug.cgi?id=757503