Bug#726393: solution via obfuscation
Perhaps this issue could be solved by manipulating source tarballs in
question to obfuscate the problematic snippets. Eg,
gpg --encrypt --symmetric --passphrase WhiteList ICKY-FILE
This would be unpacked appropriately at build time.
If the same issue comes up for binaries, a similar mechanism could be
used there, with the post-installation scripts doing the de-obfuscation.
I won't say it's pretty ... but it would suppress these false positives.
Barak A. Pearlmutter
Hamilton Institute & Dept Comp Sci, NUI Maynooth, Co. Kildare, Ireland