If I understand the upstream patch correctly, this replaces pickle with json for bookmarks and metadata information. It looks like this patch was applied to sid.
Won't this break existing installs by making existing data inaccessible? Maybe we don't have much choice in the matter however. Any automatic conversion tool is likely to have the same vulnerability we are attempting to resolve. -- Brian May <b...@debian.org>