Hi,
We have recently started updating all Fedoras to the latest stable
release of WebKitGTK+ in order to provide effective security support.
I'm pleased that so far we have had no bug reports related to these
updates.
Recently, FESCo wisely adopted a policy to ban stable release updates
that break API or ABI, and while I believe we currently comply, we
might be skirting the line a bit. We intend to offer a API and ABI
compatibility indefinitely, most likely until GTK+ 4 is released,
whenever that may be, but with two caveats.
First, the stable DOM bindings API/ABI will not change, but may cease
to function properly if something is removed from the DOM spec. In the
worst case, application crashes are possible, e.g. if an application is
not expecting a function to return NULL. To avoid friction with other
WebKit contributors, we cannot provide compatibility here. To my
knowledge, no real world application has ever been affected by such an
issue, and the odds of real world breakage here are much lower than
with a typical bugfix update, so I don't see the need to worry about
this -- it's just something to be aware of. If your open source
application is ever unlucky enough to be affected by such an issue, we
will help fix it.
WebKitGTK+ also offers a larger, unstable DOM API accessible if
WEBKIT_DOM_USE_UNSTABLE_API is defined. Here API/ABI compatibility is
restricted to micro 2.x.y version updates; the API/ABI *will* break in
a minor version update (2.x), and these updates will occur within the
lifetime of a particular stable Fedora release. The only practical way
to avoid API changes here is to not update WebKit and live with unfixed
remote code execution vulnerabilities. Backports are not practical.
Currently known users of this API are Epiphany and Yelp; since only two
applications are affected, I don't consider this a practical problem.
If your Fedora package needs to use this API, contact me privately so
that we can know to take responsibility for rebuilding your application
when needed and avoid broken updates. Third-party applications are
strongly encouraged to avoid using this API.
Michael