Source: libidn Severity: normal the use of gnulib in this package makes it significantly harder to backport security patches around the different Debian suites. I have spent a long time trying to figure out how to update the gnulib source code in libidn for CVE-2015-2059, for example. it was pretty painful!
using an external library like libunistring would be much better. i understand that gnulib is necessary to port to certain environments for the GNU system, but this here is Debian, we can certainly do better! this would also be in accordance with §4.13: https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ Help-libidn mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-libidn
