Re: unzip.h and unzip.c files in source packages.

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Tue, 15 Dec 2009 23:50:43 +0900, Charles Plessy wrote:
> Dear all,
> 
> while reviewing an Ubuntu package that we are considering to submit to the NEW
> queue for inclusion in Debian, I found a copy of source files from the
> ‘minizip’ package, that was not mentionned in debian/copyright.
[...]
> The conclusion is that we should either change our policy on copyright
> documentation (that goes further than what is required by some licenses),
> or double-check our packages.

The technically robust solution here would be to add embedded code
copy checks to lintian.  However, at best those checks would only be
able to produce a "confidence level" that the code checked may contain
an embed.  This is because code copies tend to be of various versions,
and a direct code comparison would not be sufficient.

The security-tracker's known embedded code copies list [0] would be
a good resource of reference source code that should be searched in
these lintian checks.

Anyway, implementing this could involve some significant work, and I
personally do not have the time for it, but it would be incredibly
useful; especially from a security standpoint since dealing with
embedded code is very tedious and time-consuming.

Best wishes,
Mike

[0] http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies