Package: lomiri-desktop-session Version: 0.3-11 Severity: important Tags: security X-Debbugs-CC: [email protected]
lomiri-desktop-session has Recommends: morph-browser and no other direct dependency on a web browser. I recommend removing that dependency. Lomiri's metapackage (see https://bugs.debian.org/1131475 ) could instead Recommend something like gnome-core does: Recommends: firefox-esr (>= 140) | firefox (>= 140) | chromium | gnome-www-browser gnome-core also has epiphany-browser as an alternative but I assume that doesn't make much sense for Lomiri. morph-browser's web engine is qtwebengine-opensource-src (or qt6-webengine). This has been declared unsuppored by Debian Security since at least 2019. https://bugs.debian.org/926179 Web browsers with adequate security support in Debian include firefox-esr and chromium. webkit2gtk is also maintained so browsers that use it like epiphany-browser are probably ok too. Currently, task-lomiri-desktop already does pull in firefox-esr (in addition to morph-browser). I haven't investigated to figure out what exactly pulls in firefox-esr, but I don't consider it to be a problem because I think we should be installing it anyway. Thank you, Jeremy Bícha
