Similarly a lot software are used in production by thousands of people for years, yet the software calls itself alpha or has some 0.x version number.
A few years ago we had some discussions “replace X (from Debian) with Y (from Debian) because X is more secure than Y”. It’s insurmountable. Even for existing packages used by Whonix. There would be a lot bikeshedding, a lot of theorizing and zero to little input from people who actually have experience/capability to review the code in question / producing vulnerabilities. As long as there is no authoritative source that makes statements about the security of X vs Y, this is not something the Whonix project can fix.
Therefore if software is considered insecure, abandoned, etc. it would be best to report this to Debian since Debian regularly removes packages where that is the case. That’s also why VirtualBox is Unavailable in Debian stable and backports due to Debian Stable Security Maintenance Issues. Just mentioning to dispel possible assumptions that this never happens.
That might be a case of “A said B”, “C understood D”.
There are many reasons to recommend against it such as reliability. But there is no statement by the author “don’t use it because there are likely remote exploitable security vulnerabilities”.
Please ask upstream (Debian package maintainer and upstream author) explicitly rather than making implicit assumptions.
Maybe but Debian was the best base distribution that I could find that time to build on top overall (many criteria…). Until there is something better, usable as base distribution, some distribution that wouldn’t allow unmaintained/insecure software, there is nothing realistically that can be done about this.
Probably same for tons of other packages that Whonix Depends: on directly or their dependencies do.