Differences between revisions 2 and 51 (spanning 49 versions)
Revision 2 as of 2006-01-09 12:18:35
Size: 2763
Editor: ?MartinPitt
Comment: add some formatting
Revision 51 as of 2020-04-09 06:37:46
Size: 4763
Editor: PaulWise
Comment: include non-code things too
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Embedded source code copies =
This file collects cases, where a source package embeds code from
other projects, without linking dynamically:
## page was renamed from EmbeddedCodeCopies
[[https://www.debian.org/doc/debian-policy/ch-source.html#convenience-copies-of-code|Debian Policy 4.13]] states that Debian packages should not use convenience copies.
Line 5: Line 4:
== xpdf code: (some use xpdf 2, some xpdf 3) ==
gpdf
pdftohtml
kdegraphics/kpdf
tetex-bin (the very latest tetex-bin started to use poppler)
cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)
poppler
koffice
libextractor
Embedded copies (of code, data, fonts or other things) should be removed from the upstream VCS and source tarballs. Upstream might want to only embed the copies in the binary packages they distribute, script the install of their dependencies and or bundle the dependencies into a single but separate source tarball rather than embedding copies of them. Once upstream has fixed the issue, the Debian package can then be updated to the fixed version. If upstream refuse to remove the embedded copies, then Debian should either repack the upstream tarball using Files-Excluded (if there is a DFSG or size issue) or remove the files in `debian/rules clean` and very early in `debian/rules build`, so that there is no chance of them being used by the build process.
Line 15: Line 6:
== zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) ==
dpkg
rsync (somehow derived code base)
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
The list of packages that embed copies (including unused ones) of other projects is maintained in the security-tracker git repository.
Line 22: Line 8:
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
Line 23: Line 10:
== libgadu/ekg ==
centericq
gaim
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)
This list also contains information about forks so that the security team can check if all forks contain the same vulnerabilities.
Line 30: Line 12:
All Debian members have commit access to the security-tracker repository and others can send suggestions or additions to the [[DebianList:debian-security-tracker|debian-security-tracker mailing list]].
Line 31: Line 14:
== xmlrpc: (which package is the "origin" of this code?) ==
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)
tikiwiki (not packaged in Debian)
Lintian detects embedding of [[https://lintian.debian.org/tags/embedded-feedparser-library.html|feedparser]], common [[https://lintian.debian.org/tags/embedded-javascript-library.html|JavaScript]]/[[https://lintian.debian.org/tags/embedded-library.html|C/C++]]/[[https://lintian.debian.org/tags/embedded-pear-module.html|PEAR]]/[[https://lintian.debian.org/tags/embedded-php-library.html|PHP]] libraries, !PostScript fragments ([[https://lintian.debian.org/tags/license-problem-font-adobe-copyrighted-fragment.html|1]] [[https://lintian.debian.org/tags/license-problem-font-adobe-copyrighted-fragment-no-credit.html|2]]) and [[https://lintian.debian.org/tags/duplicate-font-file.html|fonts]].
Line 39: Line 16:
These wiki pages mention embedded copies: [[arc4random]]
Line 40: Line 18:
== shtool: (affects build-time only) ==
mysql-ocaml
php4
These gobby pages mention embedded copies: [[https://gobby.debian.org/export/Teams/Perl/Embedded_modules_in_inc|Teams/Perl/Embedded_modules_in_inc]].
Line 44: Line 20:
The [[dedup.debian.net|Debian duplication detector]] detects duplicate files in binary packages and may be useful for detecting verbatim duplication of files across multiple binary packages.
Line 45: Line 22:
== mozilla ==
mozilla-firefox
mozilla-thunderbird
nvu
[[https://github.com/silviocesare/Clonewise|Clonewise]] is a tool not yet in Debian that [[https://lists.debian.org/debian-security/2012/07/msg00000.html|could be used to find unfixed vulnerabilities because of embedded code copies]]. [[https://github.com/Mondego/SourcererCC|SourcererCC]] is another tool for detecting embedded code copies.
Line 50: Line 24:
The [[https://sources.debian.org/|Debian Sources website]] collects hashes and ctags of all Debian source code and allows [[https://sources.debian.org/advancedsearch/|searching]] for specific hashes and ctags, which may be useful for detecting duplication of source code and data.
Line 51: Line 26:
== xli ==
xloadimage
If you have a particular file with some interesting aspect (security issue etc) you can likely find other copies using the [[DebianCodeSearch|Debian code search site]] or external code search engines such as [[https://code.ohloh.net/|Ohloh code]], [[https://searchcode.com/|searchcode]] and [[https://github.com/|GitHub]].
Line 54: Line 28:
== lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) ==
openmotif
xfree86/xorg (in libxpm)
If a file has a fairly unique name, you can often find copies of that file by searching the contents of Debian binary or source packages using apt-file:
Line 58: Line 30:
{{{
apt-file search uniquename.py
apt-file search -I dsc uniquename.c
}}}
Line 59: Line 35:
== kerberized apps with BSD origin ==
krb4
krb5
heimdal
Various Debian folks keep track of embedded copies they found via usertags:
Line 64: Line 37:
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-code-copy&user=rbrito@ime.usp.br|rbrito@ime.usp.br]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-code-copy&user=jwilk@debian.org|jwilk@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embed&user=pabs@debian.org|pabs@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-synctex-parser&user=sramacher@debian.org|sramacher@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embed&user=dr@jones.dk|dr@jones.dk]]
Line 65: Line 43:
== grip (which pkg is the origin?) ==
libcdaudio
grip
gnome-vfs (vfs2 as well?)
= See also =
Line 70: Line 45:

== fudforum ==
phpgroupware-fudforum
egroupware-fudforum

== cvs ==
gcvs (at least an additional script is included, check if there's more)

== pcre ==
python versions up to 2.3, 2.4 uses system lib
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
tf5 (since 5.0beta7 the Debian package links dynamically)

== tiff ==
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy


== uudeview ==
libconvert-uulib-perl

== sqlite (not affected by security vulnerabilities so far) ==
amarok

== util-linux/mount ==
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

== webmin ==
usermin

== sylpheed ==
sylpheed-claws

== phpsysinfo ==
egroupware
phpgroupware

== phpldapadmin ==
egroupware

== chmlib ==
kchmviewer (not packaged in Debian)

== libavcodec/libavformat ==
ffmpeg
xine-lib
xvidcap (currently in NEW)
kino(?)
gst-ffmpeg
xmovie (currently in NEW)

=== mad MPEG decoding lib ==
mad
xine-lib

== libdts ==
libdts
xine-lib

== flac ==
flac
xine-lib

== liba52 ==
a52dec
xine-lib

== libmpeg2 ==
mpeg2dec
xine-lib

== curl ==
wget (code for NTLM authentication)
 * [[https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries|Fedora policy]] ([[https://fedoraproject.org/wiki/Bundled_Libraries|more]])
 * [[https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies|Gentoo policy]]

Debian Policy 4.13 states that Debian packages should not use convenience copies.

Embedded copies (of code, data, fonts or other things) should be removed from the upstream VCS and source tarballs. Upstream might want to only embed the copies in the binary packages they distribute, script the install of their dependencies and or bundle the dependencies into a single but separate source tarball rather than embedding copies of them. Once upstream has fixed the issue, the Debian package can then be updated to the fixed version. If upstream refuse to remove the embedded copies, then Debian should either repack the upstream tarball using Files-Excluded (if there is a DFSG or size issue) or remove the files in debian/rules clean and very early in debian/rules build, so that there is no chance of them being used by the build process.

The list of packages that embed copies (including unused ones) of other projects is maintained in the security-tracker git repository.

https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies

This list also contains information about forks so that the security team can check if all forks contain the same vulnerabilities.

All Debian members have commit access to the security-tracker repository and others can send suggestions or additions to the debian-security-tracker mailing list.

Lintian detects embedding of feedparser, common JavaScript/C/C++/PEAR/PHP libraries, PostScript fragments (1 2) and fonts.

These wiki pages mention embedded copies: arc4random

These gobby pages mention embedded copies: Teams/Perl/Embedded_modules_in_inc.

The Debian duplication detector detects duplicate files in binary packages and may be useful for detecting verbatim duplication of files across multiple binary packages.

Clonewise is a tool not yet in Debian that could be used to find unfixed vulnerabilities because of embedded code copies. SourcererCC is another tool for detecting embedded code copies.

The Debian Sources website collects hashes and ctags of all Debian source code and allows searching for specific hashes and ctags, which may be useful for detecting duplication of source code and data.

If you have a particular file with some interesting aspect (security issue etc) you can likely find other copies using the Debian code search site or external code search engines such as Ohloh code, searchcode and GitHub.

If a file has a fairly unique name, you can often find copies of that file by searching the contents of Debian binary or source packages using apt-file:

apt-file search uniquename.py
apt-file search -I dsc uniquename.c

Various Debian folks keep track of embedded copies they found via usertags:

rbrito@ime.usp.br jwilk@debian.org pabs@debian.org sramacher@debian.org dr@jones.dk

See also