Thanks Simon, The next upstream version of budgie-desktop will drop gnome-screensaver in favour of existing maintained packages in the archive (swaylock or gtklock). The time-frame though that I would be happy to ship for a "debian stable" rather than a "debian testing" will be approx Sept/Oct time frame - so trixie + 1 assuming trixie is sooner rather than later.
David (project lead) On Mon, 13 Jan 2025 at 15:39, Simon McVittie <s...@debian.org> wrote: > > Source: budgie-desktop > Version: 10.9.2-6 > Severity: important > Tags: trixie sid security > Control: block 895477 by -1 > X-Debbugs-Cc: gnome-screensa...@packages.debian.org, t...@security.debian.org > > budgie-core Depends on gnome-screensaver, and src:budgie-desktop > Build-Depends on it. gnome-screensaver is the unmaintained GNOME 2 > screensaver (see #895477), and was superseded by GNOME Shell's integrated > lock screen in about 2010. > > Does Budgie really use the unmaintained GNOME 2 screensaver? I thought it > had an integrated lock screen, like GNOME Shell and Cinnamon do? > > If Budgie doesn't actually use gnome-screensaver, please remove the > dependency in the packaging, so that gnome-screensaver can be removed > from Debian. > > If Budgie *does* use gnome-screensaver, that seems like a problem - > a screensaver is a security-sensitive component, and gnome-screensaver > has no upstream maintainer, so any security vulnerabilities in it will > not be fixed. Budgie should use a maintained screensaver, either by > the Budgie project forking gnome-screensaver as a Budgie component and > becoming its new upstream maintainer, or by using some other codebase > (like perhaps xscreensaver). > > Thanks, > smcv
