Package: dotlrn Version: 2.5.0+dfsg-8 Severity: important Dear dotlrn maintainer,
I noticed that dotlrn contains an embedded copy[1] of half of openacs, but this embedding is not registered with Debian's security tracker[2]. Note that the Debian policy discourages embedded copies, but does not forbid them. This bug has an impact on the security team, because both openacs and dotlrn have received CVE identifiers in the past and the bug is therefore marked as important. To resolve this issue, I ask you to do one of the following: * Investigate whether you can replace the embedded copy with a dependency on openacs. I.e. remove the embedded copy. This may be a fair amount of work, if possible at all. * Ask the security team to add dotlrn -> openacs as an embedded copy in the security tracker. I can do that. Helmut [1] http://dedup.debian.net/binary/dotlrn http://dedup.debian.net/compare/dotlrn/openacs [2] https://wiki.debian.org/EmbeddedCodeCopies -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
