Dear Ubuntu: Please Stop Packaging Epiphany If You Won’t Do It Properly

Dear Ubuntu,

When users try Epiphany on Ubuntu, they receive a sub-par, broken browser. If you’re not willing to do this right, please just remove Epiphany from your repositories. We’d all be happier this way. You are the  most popular distributor of Epiphany by far, and your poor packaging is making the browser look bad.

Epiphany 3.28.1 Is Stupid Old

Currently you’ve packaged Epiphany 3.28.1 for Ubuntu 18.04, your current LTS release. 3.28.1 is a seriously broken version with an overaggressive adblock filters subscription that blocks legitimate resources on a wide variety of websites, resulting in broken page rendering. We obviously don’t want users to ever use 3.28.1. There is a 3.28.2, released on May 22, 2018, which fixes this problem, but after one year you have still not yet updated. Ideally you would update to 3.28.5, which has been available since September 21, 2018. It’s not like I’m expecting you to upgrade to 3.30 or to 3.32 (the current stable series). I’d be happy to release a 3.28.6, except I know that it’s pointless: you would not upgrade to it if I did.

In Ubuntu 19.04, you have packaged Epiphany 3.32.0. The current version is 3.32.2. There are a lot of bugs fixed in between. (Update: Exalm has pointed out that your snap package takes precedence over the Debian package in GNOME Software, so most users will actually receive the snap instead. The snap is still using 3.30.4, because Epiphany 3.32 depends on GTK 3.24, and that is not available in snaps yet. All app menu items are unavailable because Ubuntu’s GNOME Shell 3.32 does not display Epiphany 3.30’s app menu, so there’s no way to edit preferences, view history, import/export bookmarks, etc. This is not good.)

Because Epiphany is in your universe repository, rather than main, I understand that Canonical does not provide updates. But this is really not OK. Do I really need to add an xscreensaver-style time bomb to protect the reputation of Epiphany?

You’ve Disabled the JPEG 2000 Support

WebKitGTK is in main and you have been updating it regularly and in a timely manner, which is good. Thanks for this!

But we also need WebKitGTK to be built with OpenJPEG support, so that it can display JPEG 2000 images. Because you build WebKitGTK without OpenJPEG support, lots of popular websites are broken, including all websites using Akamai Image Manager. Because we have “Safari” but not “Chromium” in our user agent, these websites send us lots of JPEG 2000 images, and we need to be prepared to handle them properly to avoid broken websites. (Changing our user agent to avoid receiving JPEG 2000 images is, unfortunately, not practical.)

Here we have a really difficult issue, because you admittedly have a good reason for disabling OpenJPEG use. OpenJPEG has failed your security review for inclusion in main. Seth Arnold from the Ubuntu Security Team has reported 24 issues in OpenJPEG, of which 21 still remain unfixed. (It’s probably too much to ask, but if any readers want to help tackle a couple of these, that would be really great.) WebKitGTK is only as secure as its least-secure image decoder, and it seems likely that that would be OpenJPEG. Exposing the low-quality OpenJPEG library to the entire web is risky.

And yet, a web browser that doesn’t display websites properly is simply not worth delivering to users. We need this image decoder for web compatibility. WebKitGTK 2.26 will (hopefully) ship with a sandbox to mitigate security risks. Perhaps future versions of Epiphany should refuse to start if OpenJPEG support is unavailable?

9 Replies to “Dear Ubuntu: Please Stop Packaging Epiphany If You Won’t Do It Properly”

  1. Speaking personally, I tend to respond better to reaching out rather than calling out.

    1. OK: so could you remove it, please?

      This is a sincere request. I don’t trust you to update it.

  2. Are you kidding? You demand that a low-quality library with known security-risks is enabled. You won’t let it go, you crowdsource (“any readers want to help tackle”) the problem, and worse you want to include known security bugs and just put a sandbox over it. It’s like closing your eyes.

    There is no compatibility excuse for unsecure browser. This is stupid. Worst excuse ever.

    You are not building a browser, you are building a botnet. Epiphany will ruin the reputation of gnome and linux with this mindset. You just started and ruined the reputation of Epiphany. Please don’t do browser any more.

  3. mcatanzaro, may I ask you to file a bug? Otherwise, your bug may not receive the attention it deserves. Thanks

  4. Yea, you do have a difficult issue. Your product uses insecure libraries and broken due to it, nobody but you cares enough about it to fix it, and you seemingly don’t have the ability to. Whining that the repo maintainers did their job, vetted the code your project uses, found it unsafe, and — in the interest of every person on Earth except for yourself — said no isn’t going to fix this.

    Why would they waste time processing updates for software with such terrible development ideologies?

  5. Although liking and appreciating Epiphany I have to say that an old unsolved problem is really annoying: the sudden volume change when seeing YouTube videos.
    I have already reported the problem but it was closed and considered solved. I see other users still mentioning the same problem.
    It’s really a pity! Performance and integration are great with Epiphany.

Comments are closed.