Package: debian-security-support
Severity: wishlist
Tags: security
As discussed on https://bugs.debian.org/1081907, the only reason why
src:vte is still in the archive is because debian-installer is still
using GTK 2 (and the only reason why it compiles .deb and not just .udeb
is in an attempt to make it somewhat easier to debug d-i-related issues).
For anything outside the installer, the replacement is src:vte2.91, which
is compiled in GTK 3 and GTK 4 flavours (but does not support GTK 2).
The GNOME team does not intend to support the use of src:vte for untrusted
content, and we don't intend to fix DoS vulnerabilities like #1081907,
or any bugs at all, really (unless they are critical for d-i). We've been
trying to remove src:vte from the archive since at least 2017.
I'm not sure whether this would be better represented in d-s-s as
"limited support" or "EOL", but I feel as though it probably ought to
be one of those.
Thanks,
smcv
