Hi Francesco, * Francesco P. Lovergine <email@example.com> [2007-10-15 11:08]: > On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote: > > > > Embedded code copies > > -------------------- > > > > There are a number of packages including source code from external > > libraries, for example poppler is included in xpdf, kpdf and others. To > > ensure that we don't miss any vulnerabilities in packages that do so we > > maintain a list of embedded code copies in Debian. It is preferable > > that you do not embed copies of code in your packages, but instead link > > against packages that already exist in the archive. Please contact us > > about any missing items you know about. > > > > Unfortunately this is not always viable, because in some cases embedded > libraries are de facto forks of the original ones, or the program > depends on a specific version (and API) of the library. Yes true but in most cases the code base is nearly the same and we can check this without knowing ;) > I wonder if in those special cases an Embed: <source> tag could be added in > debian/control to help tracking things. That would be a nice thing, also if this would include information if the code is really included or just statically linked against it. Kind regards Nico -- Nico Golde - http://ngolde.de - firstname.lastname@example.org - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature