On Tue, 15 Dec 2009 23:50:43 +0900, Charles Plessy wrote: > Dear all, > > while reviewing an Ubuntu package that we are considering to submit to the NEW > queue for inclusion in Debian, I found a copy of source files from the > ‘minizip’ package, that was not mentionned in debian/copyright. [...] > The conclusion is that we should either change our policy on copyright > documentation (that goes further than what is required by some licenses), > or double-check our packages.
The technically robust solution here would be to add embedded code copy checks to lintian. However, at best those checks would only be able to produce a "confidence level" that the code checked may contain an embed. This is because code copies tend to be of various versions, and a direct code comparison would not be sufficient. The security-tracker's known embedded code copies list [0] would be a good resource of reference source code that should be searched in these lintian checks. Anyway, implementing this could involve some significant work, and I personally do not have the time for it, but it would be incredibly useful; especially from a security standpoint since dealing with embedded code is very tedious and time-consuming. Best wishes, Mike [0] http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
