[Secure-testing-team] Package litmus embeds neon
Neil McGovern
maulkin at mx0.halon.org.uk
Sat Oct 28 12:38:03 CEST 2006
Package: litmus
Severity: important
Hello,
This is a (semi) mass bug filing against your package as it embeds it's
own copy of neon, rather than dynamically linking against the libneon26
package.
* Why is this important?
It is important, as embedding copies of code, rather than linking
against them creates a lot more work for the security team.
* How was this discovered?
It was discovered by running clamscan with a signature from the neon
binaries against the entire archive.
* But neon is openssl licenced, so I can't link againt it!
Not any more :) Neon now produces a gnutls version under package name
neon26 (libneon26-gnutls).
* Is this RC?
For etch, not by itself. It may be a release goal for etch+1. However,
it's still important and will be considered when working out if your
package can be supported by the security team.
Many thanks,
Neil McGovern
More information about the Secure-testing-team
mailing list