Julien BLACHE
2007-Oct-15 09:01 UTC
[Secure-testing-team] Bits from the Testing Security team
Stefan Fritsch <sf at debian.org> wrote: Hi,> Embedded code copies > -------------------- > > There are a number of packages including source code from external > libraries, for example poppler is included in xpdf, kpdf and others. To > ensure that we don''t miss any vulnerabilities in packages that do so we > maintain a list[6] of embedded code copies in Debian. It is preferable > that you do not embed copies of code in your packages, but instead link > against packages that already exist in the archive. Please contact us > about any missing items you know about.iaxmodem embeds copies of spandsp and libiax. - spandsp is a recent CVS snapshot with patches specific to iaxmodem, some of them having no chances of being integrated upstream at all (specific hooks) - libiax is a patched version of one of the 3 or 4 different libiax available; it contains a number of iaxmodem-specific patches & enhancements. Again, won''t make it upstream any time soon, that would mean getting the 3 or 4 different libiax to merge and that''s just not possible (different people have tried, myself included, and we couldn''t get the upstreams to agree on something) There''s just no way to build iaxmodem against the libraries we have in Debian; iaxmodem is only reliable when built with the embedded libraries. Thanks, JB. -- Julien BLACHE - Debian & GNU/Linux Developer - <jblache at debian.org> Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
Nico Golde
2007-Oct-15 12:11 UTC
[Secure-testing-team] Bits from the Testing Security team
Hi Julien, * Julien BLACHE <jblache at debian.org> [2007-10-15 11:04]:> Stefan Fritsch <sf at debian.org> wrote:[...]> iaxmodem embeds copies of spandsp and libiax. > > - spandsp is a recent CVS snapshot with patches specific to > iaxmodem, some of them having no chances of being integrated > upstream at all (specific hooks) > > - libiax is a patched version of one of the 3 or 4 different libiax > available; it contains a number of iaxmodem-specific patches & > enhancements. Again, won''t make it upstream any time soon, that > would mean getting the 3 or 4 different libiax to merge and that''s > just not possible (different people have tried, myself included, > and we couldn''t get the upstreams to agree on something)[...] After discussing in private mail with Julien we came to the conclusion that spandsp will be hardly relevant from the security point of view so I added libiax to our list. Kind regards and thanks for reporting Nico -- Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071015/bed13f34/attachment.pgp