[Secure-testing-team] Bits from the Testing Security team

Julien BLACHE jblache at debian.org
Mon Oct 15 09:01:05 UTC 2007


Stefan Fritsch <sf at debian.org> wrote:

Hi,

> Embedded code copies
> --------------------
>
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others.  To
> ensure that we don't miss any vulnerabilities in packages that do so we
> maintain a list[6] of embedded code copies in Debian. It is preferable
> that you do not embed copies of code in your packages, but instead link
> against packages that already exist in the archive. Please contact us
> about any missing items you know about.

iaxmodem embeds copies of spandsp and libiax.

 - spandsp is a recent CVS snapshot with patches specific to
   iaxmodem, some of them having no chances of being integrated
   upstream at all (specific hooks)

 - libiax is a patched version of one of the 3 or 4 different libiax
   available; it contains a number of iaxmodem-specific patches &
   enhancements. Again, won't make it upstream any time soon, that
   would mean getting the 3 or 4 different libiax to merge and that's
   just not possible (different people have tried, myself included,
   and we couldn't get the upstreams to agree on something)

There's just no way to build iaxmodem against the libraries we have in
Debian; iaxmodem is only reliable when built with the embedded
libraries.

Thanks,

JB.

-- 
 Julien BLACHE - Debian & GNU/Linux Developer - <jblache at debian.org> 
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 



More information about the Secure-testing-team mailing list