Hi Lisandro, thanks for your response! Am Samstag 15 April 2023 15:15:08 schrieben Sie: > On Thu, 13 Apr 2023 at 14:15, Bernhard Reiter <bernhard@intevation.de> > > "qtwebengine-opensource-src No security support upstream and > > backports not feasible, only for use on trusted content" > If we follow that reasoning we shouldn't be shipping Plasma at all, as > many things use Qt5's webengine. Konqueror is advertised as web browser, which means it will (offer to) open URLs from different sources, e.g. when clicked from emails which means external URLs and data. Other components from plasma may not share the same exposure to outside data, and thus would be less vulnerable. It seems that this would warrant some more examination. If it is true that other components show the same risks, then yes, I'd say that we should either get the security situation changed or really do not ship those components by default. They may risk systems like the dynamic loading of remote objects from java did which would be a problem for both Debian and upstream. It seems to big a topic for this issue. What would be the right place in debian to bring this up? Thanks again, Bernhard
Attachment:
signature.asc
Description: This is a digitally signed message part.