#1131939 malcontent: New upstream release 0.14.0

#1131939#5
Date:
2026-03-26 11:38:08 UTC
From:
To:
I noticed while looking at GNOME Shell 50 updates that malcontent 0.14.0
is an optional dependency, for the new screen-time tracking feature. We
don't have this version in Debian yet, so that Shell feature will be
disabled until we do.

(I don't use parental controls myself, so I am unlikely to update this
package.)

Thanks,
    smcv

#1131939#10
Date:
2026-05-25 19:42:39 UTC
From:
To:
Hi,

I first learned about CVE-2026-44931 today. If we uploaded malcontent
0.14.0 to unstable, would it be a RC issue from the perspective of the
Debian Security Team?

https://security-tracker.debian.org/tracker/CVE-2026-44931

Thank you,
Jeremy Bícha

#1131939#15
Date:
2026-05-26 15:28:21 UTC
From:
To:
Hi Jeremy,

Maybenot RC, but if there is not a reason to introduce a a known
issue, is there a reason you need o rebase on 0.14.0? Can we keep it
at the version it is now to not get the issue into forky and see if a
solution appears upstream?

Regards,
Salvatore

#1131939#20
Date:
2026-05-26 15:36:25 UTC
From:
To:
We patch gnome-control-center to keep using malcontent 0.13. This is
fine for now, but eventually we will want the newer version. I haven't
tested malcontent 0.14 but the NEWS suggests that it has new features
that may make the parental controls more effective. (My somewhat harsh
review is that malcontent 0.13 isn't very effective so I appreciate
improvement.)

https://salsa.debian.org/gnome-team/gnome-control-center/-/blob/debian/latest/debian/patches/debian/Revert-wellbeing-Synchronize-settings-with-malcontent.patch

https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/main/NEWS

Thank you,
Jeremy Bícha

#1131939#25
Date:
2026-05-27 06:59:55 UTC
From:
To:
Hi Jeremy,
mangled by having it rewriten my answer. But it looks you still got my
point.

How about then keeping the situation as long it is either affordable
for you, or alternatively update to 0.14.0 but open a RC bug level for
the CVE, so it is clear that it is desirable to have it fixed for
forky.

Upstream has explained the difficulties in:
https://gitlab.freedesktop.org/pwithnall/malcontent/-/work_items/137

So maybe raising the flag as rc level in Debian could motivate someone
into helping upstream in developing a fix?

Regards,
Salvatore