{"update": {"autokarma": true, "autotime": true, "stable_karma": 3, "stable_days": 14, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Update to 2.28.3:\n\n * Fix kinetic scrolling with async scrolling.\n * Fix web process hangs on large GitHub pages.\n * Bubblewrap sandbox should not attempt to bind empty paths.\n * Fix threading issues in the media player.\n * Fix several crashes and rendering issues.\n * Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, CVE-2020-13753", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": true, "critpath_groups": null, "close_bugs": true, "date_submitted": "2020-07-09 19:52:47", "date_modified": null, "date_approved": null, "date_testing": "2020-07-10 01:41:59", "date_stable": "2020-07-12 01:00:08", "alias": "FEDORA-2020-ab074c6cdf", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2020-07-12 01:00:08", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2020-ab074c6cdf", "title": "webkit2gtk3-2.28.3-1.fc32", "version_hash": "d78b8be304321a8f26d3bf083290d03a9e555e9e", "release": {"name": "F32", "long_name": "Fedora 32", "version": "32", "id_prefix": "FEDORA", "branch": "f32", "dist_tag": "f32", "stable_tag": "f32-updates", "testing_tag": "f32-updates-testing", "candidate_tag": "f32-updates-candidate", "pending_signing_tag": "f32-signing-pending", "pending_testing_tag": "f32-updates-testing-pending", "pending_stable_tag": "f32-updates-pending", "override_tag": "f32-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by catanzaro. ", "timestamp": "2020-07-09 19:52:47", "update_id": 218403, "user_id": 91, "id": 1451117, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2020-07-09 19:52:47", "update_id": 218403, "user_id": 91, "id": 1451118, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2020-07-09 19:52:47", "update_id": 218403, "user_id": 91, "id": 1451119, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2020-07-09 20:39:48", "update_id": 218403, "user_id": 91, "id": 1451207, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2020-07-10 01:43:02", "update_id": 218403, "user_id": 91, "id": 1451574, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "Works.", "timestamp": "2020-07-10 06:58:51", "update_id": 218403, "user_id": 198, "id": 1451767, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bojan", "email": "bojan@rexursive.com", "id": 198, "avatar": "https://seccdn.libravatar.org/avatar/adb4c3f28bd6969871988f992b1bf71e404f03e3570fbfa0fc9bd7d0bf0003f8?s=24&d=retro", "openid": "bojan.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}]}}, {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2020-07-11 06:26:43", "update_id": 218403, "user_id": 947, "id": 1454066, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bitlord", "email": "bitlord0xff@gmail.com", "id": 947, "avatar": "https://seccdn.libravatar.org/avatar/a6856bb5f77fb03a9a09c4e6070fac5202f184b33756713afc3b34f3ff335a34?s=24&d=retro", "openid": "bitlord.id.fedoraproject.org", "groups": [{"name": "qa"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "l10n"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update can be pushed to stable now if the maintainer wishes", "timestamp": "2020-07-11 06:29:38", "update_id": 218403, "user_id": 91, "id": 1454068, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2020-07-11 09:03:51", "update_id": 218403, "user_id": 4120, "id": 1454097, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "atim", "email": "ego.cordatus@gmail.com", "id": 4120, "avatar": "https://seccdn.libravatar.org/avatar/8c3a317a13d88ca7421098b94cce0501c97ca2283e7139c4992df34f6218fb3b?s=24&d=retro", "openid": "atim.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "rust-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2020-07-11 09:03:52", "update_id": 218403, "user_id": 91, "id": 1454098, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2020-07-12 01:01:24", "update_id": 218403, "user_id": 91, "id": 1454440, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "Does this update specifically require the `xdg-desktop-portal-gtk` implementation, or does it also work with `xdg-desktop-portal-kde` / `xdg-desktop-portal-wlc`, in which case it should just depend on the generic `xdg-desktop-portal`?", "timestamp": "2020-07-12 09:57:51", "update_id": 218403, "user_id": 2088, "id": 1454648, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "johnp117", "email": "johannespfrang@gmail.com", "id": 2088, "avatar": "https://seccdn.libravatar.org/avatar/03b76c43ddbfc86ba64927daf372e09039e2aceae77c3c69eff77ad99dd45cfa?s=24&d=retro", "openid": "johnp117.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}, {"karma": 0, "karma_critpath": 0, "text": "It depends on xdg-desktop-portal-gtk (it is WebKitGTK, after all :) and actually has since 2.26.0, but until now the dependency was missing from the spec file.", "timestamp": "2020-07-12 13:04:38", "update_id": 218403, "user_id": 1020, "id": 1454691, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Cinnamon (unlike GNOME) has never required xdg-desktop-portal-gtk, and this new dependency wants to drag in:\n\n\n=====================================================================================================================\n Package Architecture Version Repository Size\n=====================================================================================================================\nUpgrading:\n webkit2gtk3 x86_64 2.28.3-1.fc32 updates 15 M\n webkit2gtk3-jsc x86_64 2.28.3-1.fc32 updates 6.0 M\nInstalling dependencies:\n flatpak-selinux noarch 1.6.4-1.fc32 updates 23 k\n flatpak-session-helper x86_64 1.6.4-1.fc32 updates 77 k\n libappstream-glib x86_64 0.7.17-1.fc32 fedora 335 k\n low-memory-monitor x86_64 2.0-4.fc32 fedora 34 k\n xdg-desktop-portal x86_64 1.7.2-2.fc32 updates 434 k\n xdg-desktop-portal-gtk x86_64 1.7.1-1.fc32 fedora 239 k\nInstalling weak dependencies:\n flatpak x86_64 1.6.4-1.fc32 updates 1.5 M\n p11-kit-server x86_64 0.23.20-1.fc32 fedora 189 k\n
\n\nSo this one dependency leads to a long chain of unnecessary packages, which webkit2gtk3 managed fine without previously despite having needing it since 2.26.0.\nDo i really need flatpak-selinux and flatpak-session-helper? Especially if I exclude the weak dependencies.", "timestamp": "2020-07-12 15:09:57", "update_id": 218403, "user_id": 1855, "id": 1454742, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "jonathans", "email": "bugzilla_acct_1959@yahoo.com", "id": 1855, "avatar": "https://seccdn.libravatar.org/avatar/be11a66f21043caddb7c48ec8203501453d92b830c9dd3a6de440f38b3fc8308?s=24&d=retro", "openid": "jonathans.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}, {"karma": 0, "karma_critpath": 0, "text": "So I can change the dependency to only require xdg-desktop-portal, but this means that the web process won't be able to see GTK-related settings, e.g. your host font configuration. Those are not exposed by xdg-desktop-portal, only by xdg-desktop-portal-gtk. (I'm kinda tired of bug reports about broken font settings.) I guess I can change it to Recommends though, so you can uninstall it if you really want to, on the understanding that you're going to have degraded behavior if it's missing.\n\nI don't know about flatpak-session-helper, but understanding that WebKit isn't going to work properly without xdg-desktop-portal-gtk, and that xdg-desktop-portal-gtk requires flatpak-session-helper, I'd guess it's probably important. :)", "timestamp": "2020-07-12 16:20:09", "update_id": 218403, "user_id": 1020, "id": 1454783, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "I'll discuss the dependency with other maintainers and see what they think should be done.", "timestamp": "2020-07-12 16:27:41", "update_id": 218403, "user_id": 1020, "id": 1454792, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "> I'll discuss the dependency with other maintainers and see what they think should be done.\n\nOK, it seems the settings portal is designed to utilize multiple portal backends at once. E.g. if you have both xdg-desktop-portal-gtk and xdg-desktop-portal-kde installed, you'll get both GTK and Qt settings. So it's expected to have multiple portal backends running at the same time.\n\nThe design is not perfect, though, because this is very confusing. Users running Qt apps in GNOME might miss Qt settings (or KDE settings?) without xdg-desktop-portal-kde installed, and users running GTK apps in KDE might miss GTK settings without xdg-desktop-portal-gtk installed. The design is also confusing and non-parallel in that one backend corresponds to a desktop environment (KDE) while the other corresponds to a graphical toolkit (GTK). So a rethink is certainly in order. But this is what we have today.\n\n> So this one dependency leads to a long chain of unnecessary packages, which webkit2gtk3 managed fine without previously despite having needing it since 2.26.0. Do i really need flatpak-selinux and flatpak-session-helper? Especially if I exclude the weak dependencies.\n\nProblem is that if you don't have xdg-destkop-portal-gtk, then, for example, you won't have antialiased fonts in sandboxed applications. If your fonts don't look like total crap with that package missing, that means the application is unsandboxed and unsafe. See, for example, https://bugzilla.redhat.com/show_bug.cgi?id=1816442. Also, many other functions that depend on host portals will not work, e.g. printing, notifications, etc.\n\nI can change it from Requires to Recommends in the next update if you want; however, that will result in seriously degraded functionality. So with that all in mind, do you want me to make that change? I assume that users who choose not to install Recommends should be OK with having some features not work properly (but I suspect that's not always the case :)", "timestamp": "2020-07-13 17:27:36", "update_id": 218403, "user_id": 1020, "id": 1456108, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Sorry, https://bugzilla.redhat.com/show_bug.cgi?id=1816442 was not the same bug I thought it was. Better link is https://github.com/flatpak/flatpak/issues/2861. Note that although WebKit does not use flatpak itself, its sandbox is very similar to flatpak and depends on both xdg-desktop-portal and xdg-desktop-portal-gtk.", "timestamp": "2020-07-13 17:31:39", "update_id": 218403, "user_id": 1020, "id": 1456122, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "Thanks for looking into this - it's appreciated.\n\nI've been doing a bit more digging. On my GNOME machine:\n\n\ndnf repoquery --whatdepends xdg-desktop-portal-gtk\nLast metadata expiration check: 1:20:14 ago on Tue 14 Jul 2020 12:46:52 CEST.\ngnome-shell-0:3.36.1-4.fc32.x86_64\ngnome-shell-0:3.36.4-1.fc32.x86_64\ngnome-shell-extension-desktop-icons-0:19.10.2-2.fc32.noarch\ngnome-shell-extension-desktop-icons-0:20.04.0-1.fc32.noarch\nwebkit2gtk3-0:2.28.3-1.fc32.i686\nwebkit2gtk3-0:2.28.3-1.fc32.x86_64\n
\n\nNote that only GNOME required xdg-desktop-portal-gtk before this new webkit2gtk3 dependency.\nIn particular, other GTK3 desktops like Cinnamon and Xfce didn't. As you say, confusion over desktop vs toolkit.\n\n\nOf course, xdg-desktop-portal-gtk drags in xdg-desktop-portal, which \"recommends\" (I presume that's a weak dependency) flatpak. This strikes me as odd - if I wanted flatpak, I'd install it explicitly.\n\n\ndnf repoquery --recommends xdg-desktop-portal\nLast metadata expiration check: 1:32:42 ago on Tue 14 Jul 2020 12:46:52 CEST.\nflatpak >= 1.2.0\npipewire >= 0.2.90\n
\n\nOddly, it looks like dnf shows dependencies of flatpak (a weak dependency) as full dependencies (flatpak-selinux, etc) as they disappear with setopt=install_weak_deps=False.\n\n\ndnf upgrade webkit2gtk3 --setopt=install_weak_deps=False\nLast metadata expiration check: 0:01:08 ago on Tue 14 Jul 2020 14:10:43 CEST.\nDependencies resolved.\n================================================================================\n Package Arch Version Repository Size\n================================================================================\nUpgrading:\n webkit2gtk3 x86_64 2.28.3-1.fc32 updates 15 M\n webkit2gtk3-jsc x86_64 2.28.3-1.fc32 updates 6.0 M\nInstalling dependencies:\n low-memory-monitor x86_64 2.0-4.fc32 fedora 34 k\n xdg-desktop-portal x86_64 1.7.2-2.fc32 updates 434 k\n xdg-desktop-portal-gtk x86_64 1.7.1-1.fc32 fedora 239 k\n\nTransaction Summary\n================================================================================\nInstall 3 Packages\nUpgrade 2 Packages\n\nTotal download size: 22 M\n
\n\nTo sum up:\n1) xdg-desktop-portal recommends flatpak - why?
\n2) dnf showing of dependencies is odd, to say the least.
\n\ndnf upgrade webkit2gtk3 --setopt=install_weak_deps=False is acceptable (ie no flatpak installed). So leave your dependency as it is.\n\nThanks for your efforts.", "timestamp": "2020-07-14 13:05:05", "update_id": 218403, "user_id": 1855, "id": 1457230, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "jonathans", "email": "bugzilla_acct_1959@yahoo.com", "id": 1855, "avatar": "https://seccdn.libravatar.org/avatar/be11a66f21043caddb7c48ec8203501453d92b830c9dd3a6de440f38b3fc8308?s=24&d=retro", "openid": "jonathans.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}, {"karma": 0, "karma_critpath": 0, "text": "I'll switch it to Recommends in the next update anyway. Just be careful if you don't install weak deps. ;)", "timestamp": "2020-07-14 21:43:47", "update_id": 218403, "user_id": 1020, "id": 1457863, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "catanzaro", "email": "mcatanzaro@redhat.com", "id": 1020, "avatar": "https://seccdn.libravatar.org/avatar/c442b3fe1b661f7566d0e27e8c86631fca5c34c365941f03572587f80927de1b?s=24&d=retro", "openid": "catanzaro.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "gnome-sig"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "metrics-sig"}]}}], "builds": [{"nvr": "webkit2gtk3-2.28.3-1.fc32", "signed": true, "release_id": 35, "type": "rpm", "epoch": 0}], "bugs": [], "updateid": "FEDORA-2020-ab074c6cdf", "karma": 3, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}