multiverse security implications

1st. multi Universe Respiratory is an optional decision.
Going beyond the official base repository is taking a chance and not supported.
https://wiki.ubuntu.com/Base even with 22.04 LTS

https://help.ubuntu.com/community/Repositories/Ubuntu

Multiverse - Software restricted by copyright or legal issues.

When I install ubuntu-22.04-desktop-amd64.iso the multiverse repository is enabled instantly with no ability to disable it during the GUI installation. I have to manually disable it. Why is multiverse enabled by default when applying security updates to multiverse packages is discretional?

I think older versions of Ubuntu did not enable multiverse by default but that was changed and now ubuntu-22.04-desktop-amd64.iso comes with it enabled.

https://help.ubuntu.com/community/Repositories/Ubuntu
Activities -> Software & Updates -> Select Ubuntu Software tab ->
Uncheck-mark the box Software restricted by copyright or legal issues (Multi universe)
solved

In your question you refer to a file named "/etc/apt/security.list". I am not aware of such file and do not have it on my system.

If I remember correctly, there is the option to enable and disable the installation of proprietary drivers, see https://davesroboshack.com/wp-content/uploads/2020/02/07_third_party_select-1024x576.png

I am not sure whether this affects restricted or multiverse or both.

What exactly to you deem wrong?
Which action do you execute, what happens, and what do you expect to happen instead?

e.g. what contents do you have in /etc/apt/sources.list with respect to -updates and -security for multiverse after initial installation, and what do you expect it to be? Or, if you would like to have a more extensive security information in the installation dialogue, please make a proposal! Do you expect to have that "install proprietary drivers" option enabled or disabled when you start a new installation?

Please create concrete proposals instead of cryptic remarks "but they may never by some users."

Reproducing steps:

1. Security issue is reported for a package in multiverse.
2. Ubuntu security team does not decide to update or patch it. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures where it says:
> The Ubuntu Security team also tracks issues in universe and multiverse and at their discretion may request a sync from Debian to solve vulnerabilities in packages in the current development release. Patches for flaws in packages from universe and multiverse for stable releases or for the development release when a sync from Debian is deemed too intrusive should be prepared by community members.
3. User install Ubuntu and because multiverse is enabled installs the package with a security flaw which the Ubuntu Security team did not decide to fix.
4. Security flaw in the package which lacks remediation is exploited.

What do you suggest?
Any computer user has to be aware that there may be flaws in programs that can be exploited.

I suggest that the Ubuntu installation software disable multiverse by default to avoid my stated reproducing steps. If someone wants to enable multiverse that is their risk, not a risk imposed by the ubuntu installation software.

Such suggestions should be given in form of a bug report.

See also https://wiki.ubuntu.com/Ubiquity

I started out with a question that nobody answered.

>Why is multiverse enabled by default when applying security updates to multiverse packages is discretional?