FEDORA-2020-ab074c6cdf created by catanzaro a year ago for Fedora 32
stable

Update to 2.28.3:

  • Fix kinetic scrolling with async scrolling.
  • Fix web process hangs on large GitHub pages.
  • Bubblewrap sandbox should not attempt to bind empty paths.
  • Fix threading issues in the media player.
  • Fix several crashes and rendering issues.
  • Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, CVE-2020-13753

How to install

sudo dnf upgrade --advisory=FEDORA-2020-ab074c6cdf

This update has been submitted for testing by catanzaro.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update has been pushed to testing.

a year ago
User Icon bojan commented & provided feedback a year ago
karma

Works.

User Icon bitlord provided feedback a year ago
karma

This update can be pushed to stable now if the maintainer wishes

a year ago
User Icon atim provided feedback a year ago
karma

This update has been submitted for stable by bodhi.

a year ago

This update has been pushed to stable.

a year ago

Does this update specifically require the xdg-desktop-portal-gtk implementation, or does it also work with xdg-desktop-portal-kde / xdg-desktop-portal-wlc, in which case it should just depend on the generic xdg-desktop-portal?

It depends on xdg-desktop-portal-gtk (it is WebKitGTK, after all :) and actually has since 2.26.0, but until now the dependency was missing from the spec file.

Cinnamon (unlike GNOME) has never required xdg-desktop-portal-gtk, and this new dependency wants to drag in:


=====================================================================================================================
 Package                              Architecture         Version                       Repository             Size
=====================================================================================================================
Upgrading:
 webkit2gtk3                          x86_64               2.28.3-1.fc32                 updates                15 M
 webkit2gtk3-jsc                      x86_64               2.28.3-1.fc32                 updates               6.0 M
Installing dependencies:
 flatpak-selinux                      noarch               1.6.4-1.fc32                  updates                23 k
 flatpak-session-helper               x86_64               1.6.4-1.fc32                  updates                77 k
 libappstream-glib                    x86_64               0.7.17-1.fc32                 fedora                335 k
 low-memory-monitor                   x86_64               2.0-4.fc32                    fedora                 34 k
 xdg-desktop-portal                   x86_64               1.7.2-2.fc32                  updates               434 k
 xdg-desktop-portal-gtk               x86_64               1.7.1-1.fc32                  fedora                239 k
Installing weak dependencies:
 flatpak                              x86_64               1.6.4-1.fc32                  updates               1.5 M
 p11-kit-server                       x86_64               0.23.20-1.fc32                fedora                189 k

So this one dependency leads to a long chain of unnecessary packages, which webkit2gtk3 managed fine without previously despite having needing it since 2.26.0. Do i really need flatpak-selinux and flatpak-session-helper? Especially if I exclude the weak dependencies.

So I can change the dependency to only require xdg-desktop-portal, but this means that the web process won't be able to see GTK-related settings, e.g. your host font configuration. Those are not exposed by xdg-desktop-portal, only by xdg-desktop-portal-gtk. (I'm kinda tired of bug reports about broken font settings.) I guess I can change it to Recommends though, so you can uninstall it if you really want to, on the understanding that you're going to have degraded behavior if it's missing.

I don't know about flatpak-session-helper, but understanding that WebKit isn't going to work properly without xdg-desktop-portal-gtk, and that xdg-desktop-portal-gtk requires flatpak-session-helper, I'd guess it's probably important. :)

I'll discuss the dependency with other maintainers and see what they think should be done.

I'll discuss the dependency with other maintainers and see what they think should be done.

OK, it seems the settings portal is designed to utilize multiple portal backends at once. E.g. if you have both xdg-desktop-portal-gtk and xdg-desktop-portal-kde installed, you'll get both GTK and Qt settings. So it's expected to have multiple portal backends running at the same time.

The design is not perfect, though, because this is very confusing. Users running Qt apps in GNOME might miss Qt settings (or KDE settings?) without xdg-desktop-portal-kde installed, and users running GTK apps in KDE might miss GTK settings without xdg-desktop-portal-gtk installed. The design is also confusing and non-parallel in that one backend corresponds to a desktop environment (KDE) while the other corresponds to a graphical toolkit (GTK). So a rethink is certainly in order. But this is what we have today.

So this one dependency leads to a long chain of unnecessary packages, which webkit2gtk3 managed fine without previously despite having needing it since 2.26.0. Do i really need flatpak-selinux and flatpak-session-helper? Especially if I exclude the weak dependencies.

Problem is that if you don't have xdg-destkop-portal-gtk, then, for example, you won't have antialiased fonts in sandboxed applications. If your fonts don't look like total crap with that package missing, that means the application is unsandboxed and unsafe. See, for example, https://bugzilla.redhat.com/show_bug.cgi?id=1816442. Also, many other functions that depend on host portals will not work, e.g. printing, notifications, etc.

I can change it from Requires to Recommends in the next update if you want; however, that will result in seriously degraded functionality. So with that all in mind, do you want me to make that change? I assume that users who choose not to install Recommends should be OK with having some features not work properly (but I suspect that's not always the case :)

Sorry, https://bugzilla.redhat.com/show_bug.cgi?id=1816442 was not the same bug I thought it was. Better link is https://github.com/flatpak/flatpak/issues/2861. Note that although WebKit does not use flatpak itself, its sandbox is very similar to flatpak and depends on both xdg-desktop-portal and xdg-desktop-portal-gtk.

Thanks for looking into this - it's appreciated.

I've been doing a bit more digging. On my GNOME machine:


dnf repoquery --whatdepends xdg-desktop-portal-gtk
Last metadata expiration check: 1:20:14 ago on Tue 14 Jul 2020 12:46:52 CEST.
gnome-shell-0:3.36.1-4.fc32.x86_64
gnome-shell-0:3.36.4-1.fc32.x86_64
gnome-shell-extension-desktop-icons-0:19.10.2-2.fc32.noarch
gnome-shell-extension-desktop-icons-0:20.04.0-1.fc32.noarch
webkit2gtk3-0:2.28.3-1.fc32.i686
webkit2gtk3-0:2.28.3-1.fc32.x86_64

Note that only GNOME required xdg-desktop-portal-gtk before this new webkit2gtk3 dependency. In particular, other GTK3 desktops like Cinnamon and Xfce didn't. As you say, confusion over desktop vs toolkit.

Of course, xdg-desktop-portal-gtk drags in xdg-desktop-portal, which "recommends" (I presume that's a weak dependency) flatpak. This strikes me as odd - if I wanted flatpak, I'd install it explicitly.


dnf repoquery --recommends xdg-desktop-portal
Last metadata expiration check: 1:32:42 ago on Tue 14 Jul 2020 12:46:52 CEST.
flatpak >= 1.2.0
pipewire >= 0.2.90

Oddly, it looks like dnf shows dependencies of flatpak (a weak dependency) as full dependencies (flatpak-selinux, etc) as they disappear with setopt=install_weak_deps=False.


dnf upgrade webkit2gtk3 --setopt=install_weak_deps=False
Last metadata expiration check: 0:01:08 ago on Tue 14 Jul 2020 14:10:43 CEST.
Dependencies resolved.
================================================================================
 Package                     Arch        Version             Repository    Size
================================================================================
Upgrading:
 webkit2gtk3                 x86_64      2.28.3-1.fc32       updates       15 M
 webkit2gtk3-jsc             x86_64      2.28.3-1.fc32       updates      6.0 M
Installing dependencies:
 low-memory-monitor          x86_64      2.0-4.fc32          fedora        34 k
 xdg-desktop-portal          x86_64      1.7.2-2.fc32        updates      434 k
 xdg-desktop-portal-gtk      x86_64      1.7.1-1.fc32        fedora       239 k

Transaction Summary
================================================================================
Install  3 Packages
Upgrade  2 Packages

Total download size: 22 M

To sum up:

1) xdg-desktop-portal recommends flatpak - why?
2) dnf showing of dependencies is odd, to say the least.

dnf upgrade webkit2gtk3 --setopt=install_weak_deps=False is acceptable (ie no flatpak installed). So leave your dependency as it is.

Thanks for your efforts.

I'll switch it to Recommends in the next update anyway. Just be careful if you don't install weak deps. ;)


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago

Automated Test Results