Re: Bits from the Testing Security team
On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> Embedded code copies
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others. To
> ensure that we don't miss any vulnerabilities in packages that do so we
> maintain a list of embedded code copies in Debian. It is preferable
> that you do not embed copies of code in your packages, but instead link
> against packages that already exist in the archive. Please contact us
> about any missing items you know about.
Unfortunately this is not always viable, because in some cases embedded
libraries are de facto forks of the original ones, or the program
depends on a specific version (and API) of the library.
I wonder if in those special cases an Embed: <source> tag could be added in
debian/control to help tracking things.
Francesco P. Lovergine