PureOS repo of Gnome Web (Epiphany) update forthcoming?

Hey, I just noticed that Gnome Web in the PureOS Byzantium repository is on v40 from a year ago, while the Flathub repo is on v46. Are there any plans to update that any time soon? I don’t normally care about new bells and whistles on something like a browser, but I find that the longer Gnome Web goes without an update, the buggier my Web Apps get.

1 Like

I am also interested in the answer to this question.

I recall reading there are two known CVEs, that an HTML page can make a long title that overflows and executes arbitrary virus code, and that password manager(s) in Gnome Web 40 would send your password into wrong places that request it, so we shouldn’t keep passwords in there.

But I came to enjoy the Gnome Web default setup more than Firefox, so I sometimes still use it on known sites that won’t exploit it.

2 Likes

Since PureOS follows Debian, and this release of Debian/PureOS is on Gnome 40 or something… Unlikely to happen as it would need a lot more updates than just Gnome Web.

There are only 2 paths:

  • install a more up to date OS (Crimson, Mobian, etc)
  • install the Gnome Web Flatpak (which will bring with it all of Gnome v46 as a flatpak dependency, which will be shared however with other Gnome 46 flatpaks so it’s not a waste of space if you use a lot of them)
3 Likes

No, in addition to the other posts on this thread, you can use the nightly Flatpak.

2 Likes

gnome web version 40 came out in 2021 see NEWS · master · GNOME / Epiphany · GitLab.

The reason why they are still shipping an old and vulnerable version of gnome web is because they are using their own fork see https://source.puri.sm/Librem5/debs/epiphany, which they also didn’t update in a long period. the last change they have made there was to disable navigation gestures.

unfortunately if they shipped what debian is shipping, then you will get version 3.38.2 if you are using Byzantium because Byzantium is based on debian bullseye and debian ships version 3.38.2 to their debian bullseye users. though based on Information on source package epiphany-browser it seems they have fixes for almost all of the recently(last three years) disclosed software vulnerabilities compared to what purism is shipping.

Also you can read Please be aware if you are using epiphany browser - #20 by Moon3 about the different software vulnerabilities that affect the version they are shipping.

4 Likes

Where can I make a pull request so that the Web button on my phone cant get virus(es) from literally any page with an intentionally malformed title?

Purism’s investment report says they have literal millions of dollars, so when I think about it, there should be a way to do this without requiring a flatpak/different software distributor than PureOS itself.

1 Like

@Moon3 mentioned the GitLab repository just above your post:

1 Like

your best option is to try the flatpak version of gnome web.

1 Like

it is a waste of time.

Guido Gunther already reported one of those issues nearly two years ago CVE-2022-29536 (#39) · Issues · Librem5 / debs / Epiphany · GitLab.

3 Likes

It needs a merge request highlighting the code changes linked to the issue for @guido.gunther to review and approve it.

1 Like

What makes you think he can or will review and approve changes ?

1 Like

A developer’s bottleneck is time, so contributors can make issues easier to solve for them if code changes are summarized in a readable and presentable manner.

1 Like

This still doesn’t answer my question, What makes you think he can or will review and approve those contributions ?

1 Like

That is the only answer I am able to produce with my limited time and space. If you have further personal questions for me to process, forward them to my Introduction/AMA thread and I will eventually get back to you:

Thanks for all the input. I was aware that I could download the more-updated Flatpak version, and may still do that, but have some follow-on questions:

  • Would it make sense at that point to uninstall the native PureOS distro, or would it just keep coming back with each system update?
  • What potentially would I be giving up by doing this? Are there any known integrations in the PureOS version that work particularly well with PureOS?

I would also ask why they don’t just update the PureOS distro, but catching up with news from the last year, it looks like they’ve been pretty hollowed out as a company, I’m guessing it’s a net bandwidth issue, like FF states.

1 Like

No, you risk operating system instability if you attempt to remove Epiphany, among other tightly integrated system packages.

Not that I know of yet, but @francois-techene addressed developing Epiphany in their roadmap for 2023:

Relevant quote:

Currently there is no roadmap for 2024.

i am just curious, why are you using pureos @ecs ?

1 Like

I found that apt discourages from unintalling epiphany-browser because librem5-gnome depends on it. I also still need it to add and manage web apps because the flatpak version does not have such an option.

The Purism version has the “swipe right to go back” gesture disabled. But I find it usable either way.

2 Likes

Thanks again everyone. It is good to know that the Flatpak version doesn’t have web apps. Problems with web apps is the main reason I was interested in an update to begin with, so I doubt I’ll bother with the Flatpak version, I have other browsers. Learning about the vulnerability, however gives me pause, because I mostly use web apps to compartmentalize my interaction with commercial websites.

1 Like

More broadly, why isn’t there more interest in developing web app features for other noncommercial browsers (ie., not Chrome, Safari or Edge)? Does it interfere with the browsers’ business models in some way? Or is it just that businesses/sites that would lose money if people compartmentalize their personal data are making it technically difficult to implement?

1 Like