1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
webkit
------
This is the oldest WebKitGTK+ source package in Ubuntu. It is the
WebKitGTK+ upstream project. See: http://webkitgtk.org/
This package is only in precise.
Current stable tree (1.4.x) is here:
http://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-1.4.0
Previous stable tree (1.2.x) was here:
http://gitorious.org/webkitgtk/stable/commits/master
webkitgtk
---------
This is the older WebKitGTK+ (pre-WebKit2) source package in Ubuntu. It is
the WebKitGTK+ upstream project. See: http://webkitgtk.org/
It is based on an older version which is no longer being developed.
Starting with Ubuntu 16.04 LTS, this package is in universe.
webkit2gtk
----------
This is the newer WebKitGTK+ source package based on WebKit2. It is the
WebKitGTK+ upstream project. See: http://webkitgtk.org/
Starting with Ubuntu 16.04 LTS, this package is in main.
qt4-x11
-------
On Jaunty and later, this contains a copy of the QTWebKit source code in
the src/3rdparty/webkit directory.
Upstream for QTWebKit is http://trac.webkit.org/wiki/QtWebKit
On Maverick and later, the QTWebKit source code isn't built, it has been
replaced by the qtwebkit-source package.
qtwebkit-source
---------------
This package exists on Maverick and later, and contains a copy of the
QTWebKit source code. It is used instead of the QTWebKit code in qt4-x11.
qtwebkit-opensource-src
-----------------------
This package exists in Raring and later, and contains a copy of the QTWebKit
source code (both Webkit1 and Webkit2). It is used by the Ubuntu SDK. It also
has code to use the V8 javascript engine, but uses the JavaScriptCore (JSC)
engine only on Ubuntu.
kdelibs
-------
WebKit was originally a fork of khtml from kdelibs. Codebase doesn't look
the same anymore.
kde4libs
--------
WebKit was originally a fork of khtml from kdelibs. Codebase doesn't look
the same anymore.
webkitkde
---------
This is just a wrapper, and contains no WebKit code.
chromium-browser
----------------
This package contains a fork of the WebKit code base (aka 'Blink'). It is
maintained separately by Google and is tracked in the 'chromium-browser'
boilerplate.
oxide
-----
Oxide is bindings for the chromium content api and therefore contains a fork
of the webkit code base (aka, 'Blink'). The chromium content api is maintained
separately by Google and Oxide is maintained by Canonical. Oxide is tracked in
the 'chromium-browser' boilerplate.
CVE Triage
----------
active/00boilerplate.webkit is used to capture the source package relationships
when triaging CVEs for webkit (ie, you only need to specify 'webkit' as the
source package).
When a CVE comes out MITRE generally assigns a CVE to chromium and webkit
separately, unless the chromium stable release text explicitly states there was
a problem in webkit. Considering this, the current triage practice is that we
will treat chromium and webkit separately (since that is what MITRE does) and
therefore if a CVE is listed for chromium only, we will not add webkit to the
tracker for that CVE.
This policy means that we will need to be careful to watch for CVE description
updates when using check-cves, and add webkit to a chromium CVE if MITRE does
(but changes to CVE description text should always be reviewed before
committing anyway).
Due to various upstreams' release models, support for webkit is limited to new
upstream minor version releases only. See
https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit for details.
|