[Secure-testing-team] Package litmus embeds neon

Neil McGovern maulkin at mx0.halon.org.uk
Sat Oct 28 12:38:03 CEST 2006


Package: litmus
Severity: important

Hello,

This is a (semi) mass bug filing against your package as it embeds it's
own copy of neon, rather than dynamically linking against the libneon26
package.

* Why is this important?
  It is important, as embedding copies of code, rather than linking
  against them creates a lot more work for the security team.
* How was this discovered?
  It was discovered by running clamscan with a signature from the neon
  binaries against the entire archive.
* But neon is openssl licenced, so I can't link againt it!
  Not any more :) Neon now produces a gnutls version under package name
  neon26 (libneon26-gnutls).
* Is this RC?
  For etch, not by itself. It may be a release goal for etch+1. However,
  it's still important and will be considered when working out if your
  package can be supported by the security team.

Many thanks,
Neil McGovern



More information about the Secure-testing-team mailing list