Differences between revisions 35 and 37 (spanning 2 versions)
Revision 35 as of 2016-09-08 23:51:55
Size: 2846
Comment: Add my usertag.
Revision 37 as of 2016-09-17 04:02:59
Size: 2935
Editor: PaulWise
Comment: split paragraph to make it more obvious
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
The list of packages embedding code from other projects is maintained in the secure-testing svn repository: The list of packages embedding code from other projects is maintained in the secure-testing svn repository.
Line 7: Line 7:
This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities. Send suggestions or additions to the [[DebianList:debian-security-tracker|debian-security-tracker mailing list]]. This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities.

All Debian members have commit access to the secure-testing repository and others can s
end suggestions or additions to the [[DebianList:debian-security-tracker|debian-security-tracker mailing list]].

Debian Policy 4.13 states that Debian packages should not use convenience copies.

The list of packages embedding code from other projects is maintained in the secure-testing svn repository.

https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co

This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities.

All Debian members have commit access to the secure-testing repository and others can send suggestions or additions to the debian-security-tracker mailing list.

Lintian detects embedding of feedparser, common JavaScript/C/C++/PEAR/PHP libraries and PostScript fragments (1 2).

The Debian duplication detector detects duplicate files in binary packages and may be useful for detecting verbatim duplication of interpreted code and data.

Clonewise is a tool not yet in Debian that could be used to find unfixed vulnerabilities because of embedded code copies.

If you have a particular piece of code with some interesting aspect (security issue etc) you can likely find other copies using the Debian code search site or external code search engines such as Ohloh code, searchcode and GitHub.

Various Debian folks keep track of embedded code copies they found via usertags:

rbrito@ime.usp.br jwilk@debian.org pabs@debian.org sramacher@debian.org dr@jones.dk

See also