Hi Francesco, * Francesco P. Lovergine <frankie@debian.org> [2007-10-15 11:08]: > On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote: > > > > Embedded code copies > > -------------------- > > > > There are a number of packages including source code from external > > libraries, for example poppler is included in xpdf, kpdf and others. To > > ensure that we don't miss any vulnerabilities in packages that do so we > > maintain a list[6] of embedded code copies in Debian. It is preferable > > that you do not embed copies of code in your packages, but instead link > > against packages that already exist in the archive. Please contact us > > about any missing items you know about. > > > > Unfortunately this is not always viable, because in some cases embedded > libraries are de facto forks of the original ones, or the program > depends on a specific version (and API) of the library. Yes true but in most cases the code base is nearly the same and we can check this without knowing ;) > I wonder if in those special cases an Embed: <source> tag could be added in > debian/control to help tracking things. That would be a nice thing, also if this would include information if the code is really included or just statically linked against it. Kind regards Nico -- Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgp3OcJFu3av1.pgp
Description: PGP signature