X-Debbugs-CC: oleb...@debian.org Control: tags -1 -moreinfo 在 2024-10-19六的 17:38 +0300,Jonathan Wiltshire写道: > Control: tag -1 moreinfo > > On Sun, Sep 29, 2024 at 03:25:49PM -0400, Boyuan Yang wrote: > > As discussed in https://bugs.debian.org/1076101 , package > > xsane has a Recommends: firefox | www-browser relationship for > > its binary package. As package firefox does not appear in > > Debian Stable or Debian Testing, installing xsane will introduce > > other packages that provides www-browser virtual package, causing > > unexpected consequences. > > Is the recommendation firefox, or any browser which complies with > www-browser? It seems odd to recommend any browser and then complain that > it causes unexpected consequences. > > That's a different issue than: > > > The known side effect is that the default > > Debian Bookworm LXQt installation introduces package hv3 as > > www-browser provider, which is an unmaintained web browser that > > is dangerous if provided as default internet browser. Further details > > are discussed in the Debian bug report 1076101. > > Perhaps some thought should be given to whether hv3 belongs in stable if it > is "dangerous" and unmaintained? I don't see any bug reports against it, > although it's been removed from sid and testing already which is never a > good sign.
There are repeated reports outside of Debian's mailing list (read it as forums / IM group chats), and unfortunately these users are not into using Debian's dated infra for bug reporting ... so I am filling the gap here. Package hv3 in Sid/Testing was removed due to being unmaintained, for the same reason as the current bug report. If you feel like the removal from Debian Stable should be the correct move, I will help to submit a stable RM bug for hv3 as well. To Ole Streicher (cc-ed): please let me know if you have any thoughts on removing hv3 from Debian Stable. > I don't really have a good idea what you mean by "dangerous" here. The default installation of an unmaintained web browser itself is already a security issue. > > To avoid further surprises for Debian LXQt users, modifying the > > recommendation to Recommends: firefox-esr | firefox | www-browser > > is a reasonable mitigation. This change is now present in Debian > > Unstable as xsane/0.999-12.1. > > As above, I question whether there should be a recommendation on > www-browser at all if that breaks things. My understanding is that package xsane just needs a sane web browser as a soft dependency, which may be introduced in the following ways: (1) on default LXQt installation ISO, the requirement should be satisfied by (our) preferred default web browser, firefox-esr. (2) when manually installed by the user, the requirement can be satisfied by sane web browsers, which could be firefox-esr, chromium, epiphany-browser, or out-of-repo choices such as google-chrome-stable etc. By using firefox-esr | firefox | www-browser, the ISO generation procedure is satisfied in case (1). Similarly, users that already have a web browser installed will not be forced to install firefox-esr when xsane is installed, which helps case (2). If we change the dependency to firefox-esr | firefox , the users in case (2) will be unhappy due to introducing another unnecessary web browser. This is not what we want. > Please remove the moreinfo tag when you respond. Please let me know what is your favorable way to proceed. We can alter the package recommendation for xsane in Stable (but www-browser rec should be kept), or remove hv3 from Stable, or do both. Thanks, Boyuan Yang
signature.asc
Description: This is a digitally signed message part
