qtwebkit: Mark known vulnerable

The browser engine is based off an old Webkit version, receives no
security backports, does no releases.

The WebKitGTK people have counted over 500 CVEs they fixed since 2016.

Adding known vulnerable to make people aware they're using a browser
engine that is not up to todays standards and could very likely be
easily compromised.

Projects are recomended to migrate to qtwebengine instead.

https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/
https://github.com/qutebrowser/qutebrowser/issues/4039#issue-338246939
https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/
This commit is contained in:
Martin Weinelt 2022-11-13 14:31:55 +01:00
parent 890b241276
commit a505704e8f
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759

View File

@ -69,5 +69,8 @@ qtModule {
meta = {
maintainers = with lib.maintainers; [ abbradar periklis ];
knownVulnerabilities = [
"QtWebkit upstream is unmaintained and receives no security updates, see https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/"
];
};
}