Switch from webkit2gtk 4.0 to 4.1

[jbicha]

webkit2gtk 4.1 is the same as 4.0 except that 4.1 uses libsoup3 and 4.0 uses libsoup2.4. Since your project doesn't use libsoup directly, this is an easy swap.

Every distro with current webkitgtk support should have the 4.1 packages including Debian 12 and Ubuntu 22.04 LTS.

Fedora has stopped building the 4.0 packages in preparation for their Fedora 40 release in a few months. Debian and Ubuntu are working on removing 4.0 also.

[pboushy]

This looks like it could prevent old gp-saml-gui from running on older OSes (e.g. Ubuntu 20.04)

Wouldn't it be better to have it use either 4.0 or 4.1?

[jbicha]

webkit2gtk does not have any security support in Ubuntu 20.04 LTS. No other distros that old provide security support for webkit2gtk either. Personally, I think you'd be better off just switching like this merge request does.

However, it is possible to modify the code to fall back to importing 4.0 if 4.1 is not available.

[dlenski]

webkit2gtk does not have any security support in Ubuntu 20.04 LTS. No other distros that old provide security support for webkit2gtk either.

It's still an extremely widely-used distribution (and what I'm using myself :grimacing:). And it appears that it is still receiving security updates from Ubuntu, at least it's in the security suite for Ubuntu 20.04 LTS packages

This looks like it could prevent old gp-saml-gui from running on older OSes (e.g. Ubuntu 20.04)

Wouldn't it be better to have it use either 4.0 or 4.1?

I agree with @pboushy here. How about this?

import warnings
import gi

gi.require_version('Gtk', '3.0')
try:
    gi.require_version('WebKit2', '4.1')
except ValueError:  # I wish this were ImportError
    gi.require_version('WebKit2', '4.0')
    warnings.warn("Using WebKit2Gtk 4.0 (obsolete); please upgrade to WebKit2Gtk 4.1")

[jbicha]

You can get a better view by looking at https://launchpad.net/ubuntu/+source/webkit2gtk . Yes, Ubuntu 20.04 LTS did get security support for webkit2gtk but it stopped a year ago.

This is because of upstream webkit2gtk's dependency/support policy: https://docs.webkit.org/Ports/WebKitGTK%20and%20WPE%20WebKit/DependenciesPolicy.html

So honestly, I wouldn't recommend you use an old distro if you want to use webkit2gtk apps that access the Internet. Maybe there isn't much risk for this app (I know almost nothing about the app.) My interest here was basically because I needed to update packages in Debian and Ubuntu.

[dlenski]

You can get a better view by looking at https://launchpad.net/ubuntu/+source/webkit2gtk . Yes, Ubuntu 20.04 LTS did get security support for webkit2gtk but it stopped a year ago.

This is because of upstream webkit2gtk's dependency/support policy: https://docs.webkit.org/Ports/WebKitGTK%20and%20WPE%20WebKit/DependenciesPolicy.html

Thanks. So it actually doesn't get the full 5 years’ worth of support that we'd expect for Ubuntu LTS (https://ubuntu.com/about/release-cycle#:~:text=The%20lifecycle%20consists,without%20a%20subscription)…?

:thinking:

That's pretty surprising.

So honestly, I wouldn't recommend you use an old distro if you want to use webkit2gtk apps that access the Internet. Maybe there isn't much risk for this app (I know almost nothing about the app.) My interest here was basically because I needed to update packages in Debian and Ubuntu.

To a large extent, end users of proprietary VPN software like PAN GlobalProtect Just Want It To Work™ (see https://github.com/dlenski/gp-saml-gui/issues/37#issuecomment-1063514658) and have no control over the security properties of the servers, which are themselves frequently obsolete and inconsistent (see GnuTLS issue #958 for some discussion).

So I've gone with https://github.com/dlenski/gp-saml-gui/commit/adf8261424a5287124dde7daa99a94675a89f5e8 as the solution here (warns and falls back to 4.0, if needed).

[jbicha]

Yes, it's mentioned (although the specifics are currently out of date) at https://wiki.ubuntu.com/SecurityTeam/FAQ#WebKitGTK