Debian Policy 4.13 states that Debian packages should not use convenience copies.
The list of packages embedding code from other projects is maintained in the secure-testing svn repository:
This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities. Send suggestions or additions to email@example.com.
The Debian duplication detector detects duplicate files in binary packages and may be useful for detecting verbatim duplication of interpreted code and data.
If you have a particular piece of code with some interesting aspect (security issue etc) you can likely find other copies using the Debian code search site.