On Sat, May 26, 2018 at 11:28:29PM -0400, Michael Gilbert wrote: > Are you intending CEF to make it into a stable release?
Yes. > Since chromium's source is updated every few weeks for security updates, > won't CEF need to be updated just as often? Yes. CEF generally follows Chromium fairly closely (support for a Chromium branch begins when it enters the beta channel, and ends when it exits the stable channel). > If so, I'm not sure that will be supportable over the lifetime of a stable > release. It's an open question to what degree we can give it security support, indeed. The intention is for this to go through binNMUs for minor Chromium versions; you'd have to actually upgrade CEF when major version bumps happen, which means CEF security support would probably lag a week or two behind Chromium security support in such cases. Note that in many of the use cases CEF covers, you only run trusted code. In particular, in the two possible downstream users in Debian that I know of (nageru and obs-browser), Chromium is simply used as a rendering engine for animation/graphics, not presented as a browser with a UI. Thus, it wouldn't be a big loss to declare end of CEF security support if we run into insurmountable troubles upgrading it in stable. /* Steinar */ -- Homepage: https://www.sesse.net/
