Re: unzip.h and unzip.c files in source packages.
On Tue, 15 Dec 2009 23:50:43 +0900, Charles Plessy wrote:
> Dear all,
>
> while reviewing an Ubuntu package that we are considering to submit to the NEW
> queue for inclusion in Debian, I found a copy of source files from the
> ‘minizip’ package, that was not mentionned in debian/copyright.
[...]
> The conclusion is that we should either change our policy on copyright
> documentation (that goes further than what is required by some licenses),
> or double-check our packages.
The technically robust solution here would be to add embedded code
copy checks to lintian. However, at best those checks would only be
able to produce a "confidence level" that the code checked may contain
an embed. This is because code copies tend to be of various versions,
and a direct code comparison would not be sufficient.
The security-tracker's known embedded code copies list [0] would be
a good resource of reference source code that should be searched in
these lintian checks.
Anyway, implementing this could involve some significant work, and I
personally do not have the time for it, but it would be incredibly
useful; especially from a security standpoint since dealing with
embedded code is very tedious and time-consuming.
Best wishes,
Mike
[0] http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
Reply to: