Linux distributions have a problem with WebKit security.
Major desktop browsers push automatic security updates directly to users on a regular basis, so most users don’t have to worry about security updates. But Linux users are dependent on their distributions to release updates. Apple fixed over 100 vulnerabilities in WebKit last year, so getting updates out to users is critical.
We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit. I strongly recommend using a distribution that releases WebKitGTK+ updates shortly after they’re released upstream. That is currently only Arch and Fedora. (You can also safely use WebKitGTK+ in Debian testing — except during its long freeze periods — and Debian unstable, and maybe also in openSUSE Tumbleweed, and (update) also in Gentoo testing. Just be aware that the stable releases of these distributions are currently not receiving our security updates.) I would like to add more distributions to this list, but I’m currently not aware of any more that qualify.
This is the story of how that process has gone wrong for WebKit.
Before we get started, a few disclaimers. I want to be crystal clear about these points:
This post does not apply to WebKit as used in Apple products. Apple products receive regular security updates.
WebKitGTK+ releases regular security updates upstream. It is safe to use so long as you apply the updates.
The opinions expressed in this post are my own, not my employer’s, and not the WebKit project’s.