| 2 | |
| 3 | Last summer ended WK1 support in GTK+ port[[BR]] |
| 4 | WK1 apps have three options:[[BR]] |
| 5 | port WK1 apps to WK2 (best option, about 1/2 done)[[BR]] |
| 6 | bring WK1 back and maintain it again (requires too much man power)[[BR]] |
| 7 | merge security fixes back to old branch (becomes harder and harder over time)[[BR]] |
| 8 | Email clients hard to port because of dom operations[[BR]] |
| 9 | [[BR]] |
| 10 | CVEs from Apple don’t include information about how to exploit the vulnerability[[BR]] |
| 11 | Igalia made a security advisory, has one member of the security team (Carlos Garcia)[[BR]] |
| 12 | http://webkitgtk.org/security/WSA-2015-0001.html[[BR]] |
| 13 | Apple does not release information about security fixes to security team members, no way to make another one[[BR]] |
| 14 | Who from Apple sent this information in the past? Don’t know. Igalia will contact Alex Christensen with this information[[BR]] |
| 15 | WebKitGTK+ releases every 6 months, fixes security bugs, but also adds 6 months of new security bugs[[BR]] |
| 16 | To convince Fedora to upgrade to WebKitGTK+2.8, they need a list of CVEs[[BR]] |
| 17 | Debian won’t accept updates either without documentation of CVEs[[BR]] |
| 18 | BadSSL.com will show warning that headers were sent before a secure connection is established[[BR]] |
| 19 | cookies are leaked to unverified attackers - not just libsoup problem - CVE-2015-2330[[BR]] |
| 20 | Bug in gcc 4.8 caused crash in legacy indexeddb code, but distributions still use gcc4.8[[BR]] |
| 21 | https://support.apple.com/en-us/HT205265 example of Safari security advisory[[BR]] |
| 22 | Igalia wants a link between those CVE numbers and the bugzilla bug or merged code revision[[BR]] |
| 23 | equivalent would be if we commented in the bugzilla with the CVE number[[BR]] |
| 24 | Web Engines Hackfest in December in Spain[[BR]] |
| 25 | [[BR]] |
| 26 | GTK+ has no sandboxes right now, any security exploit has complete access to the computer (but not as root)[[BR]] |
| 27 | seccomp filter based sandbox would need to be specific to each linux distribution because WebKitGTK+ has lots of dependencies which have different system calls[[BR]] |
| 28 | network namespace, filesystem namespace should be used instead[[BR]] |
| 29 | Remove non-network process compile configurations[[BR]] |
| 30 | [[BR]] |
| 31 | Chrome, Firefox disabling RC4 fallback January or February 2016, WebKitGTK+ disabled it last year[[BR]] |
| 32 | americanairlines.com fails[[BR]] |
| 33 | Safari has no security indicator when http is used, Chrome and Firefox are moving to a broken lock icon for all http instead of nothing[[BR]] |
| 34 | [[BR]] |
| 35 | |