Moritz Muehlenhoff wrote: > On Tue, Jan 25, 2022 at 12:20:46AM +1100, Trent W. Buck wrote: > > Package: debian-security-support > > Version: 1:11+2021.03.19 > > Severity: normal > > File: /usr/share/debian-security-support/security-support-limited > > > > As at Debian 11, > > > > * webkitgtk is in src:webkit2gtk, not src:webkit. > > * khtml is in src:khtml, not src:kde4libs. > > > > GNOME3 and KDE5 have been around for a while now. > > I think security-support-limited should be updated to reflect this. > > webkit2gtk is fully supported since Buster and there have been plenty of > security updates since > then: https://security-tracker.debian.org/tracker/source-package/webkit2gtk
Am I misreading the Release Notes? https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support browsers built upon e.g. the webkit and khtml engines^[6] are included in bullseye, but not covered by security support. Are you saying that webkit2gtk is supported, but anything that USES webkit2gtk is unsupported? Even if that is the case, webkit2gtk itself ships a web browser based on webkit2gtk: libwebkit2gtk-4.0-37:amd64: /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/MiniBrowser That browser even accesses a remote (therefore not trusted by debian) URL by default. (Unlike e.g. yelp, which uses webkit2gtk mainly to render content provided by Debian.) It also enables javascript (remote code execution) by default. Since webkit2gtk includes a webkit2gtk-based browser, and "browser built upon webkit" are "not covered by security support", I still think webkit2gtk belongs in the "security support is limited" list. I agree that debian-security has provided security updates for webkit2gtk in the past. I think "limited" doesn't mean "we promise never to issue security updates"; I think "limited" means "we don't promise to issue security updates". Sorry if I'm missing something obvious! Oh! I've been assuming when the Release Notes said only firefox-esr/chromium are supported, and explicitly gave "webkit" as an example, that "webkit" meant webkit2gtk. But maybe it only meant webkit (MacOS-only, not ever in Debian) or "webkitgtk" (not in Debian for about 8 years)? But then why even mention it in the *bullseye* release notes?