Hi, during a package review for the NM process I noticed a few packages embedding a copy of gnulib (or parts thereof), but no mentioning at https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co
I don't know of a good way to detect gnulib since apparently many projects just embed parts of its. Searching for a top-level "gl" directory gives: $ grep ^gl/ Contents-source | sed 's/.*\t//;s/,/\n/g' | sort -u calligra-l10n cssc dc3dd djmount frontaccounting gengetopt gfsview gnupg2 gnutls26 gnutls28 gsasl gss jwhois kde-l10n libdap libforms libidn libidn2-0 libksba libntlm libtasn1-6 libykneomgr monitoring-plugins oath-toolkit openoffice.org-dictionaries paperkey pspp shishi source-highlight calligra-l10n, dc3dd, kde-l10n, and openoffice.org-dictionaries are false positives. gss and oath-toolkit can probably be ignored (essentially an "empty" copy of gnulib) Note that there is no shared or static library package of gnulib, it is intended to be distributed at the source code level. Joachim P.S.: Please CC: me on my replies. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
