Uwe: Thanks for the suggested workaround. @Charles,
> As it's an option that you can set on your config, I'm tagging > wontfix. This is a security problem and defaults are important. The bug is about the default behavior. Security by default calls for wise defaults most particularly when there is no compelling justification for reduced security by default. > If you disagree with the Default option, I'd ask you to open an > issue and discuss directly with upstream [1]. MS Github is a place I will not go. It gives me problems. It’s true that the defect is upstream. But it is also downstream and the Debian project’s commitment to “provide an integrated system of high-quality materials”¹ implies security as a goal, at least in my interpretation. So reguardless of what happens upstream (e.g. if upstream devs were hypothetically to reject the bug), it should still be corrected in Debian nonetheless. That said, I do not mean to impose work on anyone. But /wontfix/ is an objectionable state for this bug. It should remain a live bug until it is fixed in Debian (which could happen either by way of upstream efforts or by a debian maintainer). ① https://www.debian.org/social_contract
