Package: gnome-vfs2 Severity: important Hello, This is a (semi) mass bug filing against your package as it embeds it''s own copy of neon, rather than dynamically linking against the libneon26 package. * Why is this important? It is important, as embedding copies of code, rather than linking against them creates a lot more work for the security team. * How was this discovered? It was discovered by running clamscan with a signature from the neon binaries against the entire archive. * But neon is openssl licenced, so I can''t link againt it! Not any more :) Neon now produces a gnutls version under package name neon26 (libneon26-gnutls). * Is this RC? For etch, not by itself. It may be a release goal for etch+1. However, it''s still important and will be considered when working out if your package can be supported by the security team. Many thanks, Neil McGovern