As discussed in IRC, here's a rough draft patch. I haven't actually, like, built a .deb and installed it and run the script (sorry).
>From 501e9a6653c86fb59eceffdc6bdcc320691b8604 Mon Sep 17 00:00:00 2001 From: "Trent W. Buck" <trentb...@gmail.com> Date: Tue, 25 Jan 2022 00:38:23 +1100 Subject: [PATCH] Warn people about khtml and webkit2gtk (Closes: #773387, #1004293)
--- debian/changelog | 7 +++++++ security-support-limited | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/debian/changelog b/debian/changelog index 2a828a1..dc19574 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +debian-security-support (1:12+2021.12.09) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Warn people about khtml and webkit2gtk (Closes: #773387, #1004293) + + -- Trent W. Buck <trentb...@gmail.com> Tue, 25 Jan 2022 00:37:16 +1100 + debian-security-support (1:12+2021.12.08) unstable; urgency=medium [ Sylvain Beucler ] diff --git a/security-support-limited b/security-support-limited index bebda1c..7e9c7ad 100644 --- a/security-support-limited +++ b/security-support-limited @@ -6,13 +6,19 @@ # 2. Descriptive text or URL with more details (optional) # In the program's output, this is prefixed with "Details:" +# See also: +# https://www.debian.org/releases/bullseye/arm64/release-notes/ch-information.en.html#limited-security-support + adns Stub resolver that should only be used with trusted recursors binutils Only suitable for trusted content; see https://lists.debian.org/msgid-search/87lfqsomtg....@mid.deneb.enyo.de cython Only included for building packages, not running them, #975058 ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775 ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 golang.* See https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking +# Debian 10 and earlier? kde4libs khtml has no security support upstream, only for use on trusted content +# Debian 9 and later? +khtml khtml has no security support upstream, only for use on trusted content libv8-3.14 Not covered by security support, only suitable for trusted content mozjs Not covered by security support, only suitable for trusted content mozjs24 Not covered by security support, only suitable for trusted content @@ -28,5 +34,8 @@ qtwebkit No security support upstream and backports not feasible, only fo qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content sql-ledger Only supported behind an authenticated HTTP zone swftools Not covered by security support, only suitable for trusted content +# Debian 9 and earlier webkitgtk No security support upstream and backports not feasible, only for use on trusted content +# Debian 8 and later +webkit2gtk No security support upstream and backports not feasible, only for use on trusted content zoneminder See README.Debian.security, only supported behind an authenticated HTTP zone, #922724 -- 2.30.2