[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Testing Security team

Hi Francesco,
* Francesco P. Lovergine <frankie@debian.org> [2007-10-15 11:08]:
> On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> > 
> > Embedded code copies
> > --------------------
> > 
> > There are a number of packages including source code from external
> > libraries, for example poppler is included in xpdf, kpdf and others.  To
> > ensure that we don't miss any vulnerabilities in packages that do so we
> > maintain a list[6] of embedded code copies in Debian. It is preferable
> > that you do not embed copies of code in your packages, but instead link
> > against packages that already exist in the archive. Please contact us
> > about any missing items you know about.
> > 
> Unfortunately this is not always viable, because in some cases embedded
> libraries are de facto forks of the original ones, or the program
> depends on a specific version (and API) of the library.

Yes true but in most cases the code base is nearly the same 
and we can check this without knowing ;)

> I wonder if in those special cases an Embed: <source> tag could be added in
> debian/control to help tracking things.

That would be a nice thing, also if this would include 
information if the code is really included or just 
statically linked against it.
Kind regards
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpz7gSSsZMkT.pgp
Description: PGP signature

Reply to: