On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> Embedded code copies
> --------------------
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others. To
> ensure that we don't miss any vulnerabilities in packages that do so we
> maintain a list[6] of embedded code copies in Debian. It is preferable
> that you do not embed copies of code in your packages, but instead link
> against packages that already exist in the archive. Please contact us
> about any missing items you know about.
>
> [6]: http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
After a first reading of this, I though you didn't care about statically
linked libraries as that can be spotted by looking at build-depends.
However, looking at [6] I noticed that some of the embeddings are
reported as "(link statically)" or similar.
So, question, do you want to have reports also of missing pieces of
statically linked code snippets in that list?
If so I've recently uploaded (still in NEW) OCaml bindings for syck
which statically links parts of libsyck-dev. ATM it is not possible to
do any better, since a shared version of libsyck is not produces by the
syck source package.
I think syck is potentially security risky, since it is often used to
parse third party data. You might want to look at syck bindings for
other languages; for sure in Debian we also have Python and Perl syck
bindings ...
Cheers.
--
Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
zack@{cs.unibo.it,debian.org,bononia.it} -%- http://www.bononia.it/zack/
(15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the
(15:57:15) Bac: no, la demo scema \/ right keys at the right time
Attachment:
signature.asc
Description: Digital signature