diff options
author | Florian Bruhin <git@the-compiler.org> | 2018-03-08 12:58:17 +0100 |
---|---|---|
committer | Florian Bruhin <git@the-compiler.org> | 2018-03-08 12:58:17 +0100 |
commit | 2b2473a6d8ae6b81c1f9e89d105292de50c7b413 (patch) | |
tree | d3ba505819072ccab04e9f213fc078bb77a77634 | |
parent | 0134c1fcfd5aac1ed55e553c32e53df64b319a58 (diff) | |
download | qutebrowser-2b2473a6d8ae6b81c1f9e89d105292de50c7b413.tar.gz qutebrowser-2b2473a6d8ae6b81c1f9e89d105292de50c7b413.zip |
Add security entry FAQ
Fixes #3686
-rw-r--r-- | README.asciidoc | 2 | ||||
-rw-r--r-- | doc/faq.asciidoc | 27 |
2 files changed, 27 insertions, 2 deletions
diff --git a/README.asciidoc b/README.asciidoc index c141aa0c3..8dfc11c9f 100644 --- a/README.asciidoc +++ b/README.asciidoc @@ -91,7 +91,7 @@ https://lists.schokokeks.org/mailman/listinfo.cgi/qutebrowser[mailinglist] at mailto:qutebrowser@lists.qutebrowser.org[]. For security bugs, please contact me directly at mail@qutebrowser.org, GPG ID -https://www.the-compiler.org/pubkey.asc[0xFD55A072]. +https://www.the-compiler.org/pubkey.asc[0x916eb0c8fd55a072]. Requirements ------------ diff --git a/doc/faq.asciidoc b/doc/faq.asciidoc index 8bbc1e5d0..9b3f210ea 100644 --- a/doc/faq.asciidoc +++ b/doc/faq.asciidoc @@ -32,7 +32,7 @@ When qutebrowser was created, the newer http://webkitgtk.org/reference/webkit2gtk/stable/index.html[WebKit2 API] lacked basic features like proxy support, and almost no projects have started porting to WebKit2. In the meantime, this situation has improved a bit, but there are -stil only a few project which have some kind of WebKit2 support (see the +still only a few projects which have some kind of WebKit2 support (see the https://github.com/qutebrowser/qutebrowser#similar-projects[list of alternatives]). + @@ -70,6 +70,31 @@ But isn't Python too slow for a browser?:: and WebKit in C++, with the https://wiki.python.org/moin/GlobalInterpreterLock[GIL] released. +Is qutebrowser secure?:: + Most security issues are in the backend (which handles networking, + rendering, JavaScript, etc.) and not qutebrowser itself. ++ +qutebrowser uses http://wiki.qt.io/QtWebEngine[QtWebEngine] by default. +QtWebEngine is based on Google's https://www.chromium.org/Home[Chromium]. While +Qt only updates to a new Chromium release on every minor Qt release (all ~6 +months), every patch release backports security fixes from newer Chromium +versions. In other words: As long as you're using an up-to-date Qt, you should +be recieving security updates on a regular basis, without qutebrowser having to +do anything. Chromium's process isolation and +https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md[sandboxing] +features are also enabled as a second line of defense. ++ +http://wiki.qt.io/QtWebKit[QtWebKit] is also supported as an alternative +backend, but hasn't seen new releases +https://github.com/annulen/webkit/releases[in a while]. It also doesn't have any +process isolation or sandboxing. ++ +Security issues in qutebrowser's code happen very rarely (as per March 2018, +there has been one security issue caused by qutebrowser in over four years) and +are fixed timely. To report security bugs, please contact me directly at +mail@qutebrowser.org, GPG ID +https://www.the-compiler.org/pubkey.asc[0x916eb0c8fd55a072]. + Is there an adblocker?:: There is a host-based adblocker which takes /etc/hosts-like lists. A "real" adblocker has a |