Bug#395874: Package gnome-vfs2 embeds neon
Josselin Mouette
joss at debian.org
Sat Oct 28 13:09:16 CEST 2006
forwarded 395874 http://bugzilla.gnome.org/show_bug.cgi?id=332290
tag 395874 + upstream wontfix
thanks
Le samedi 28 octobre 2006 à 11:38 +0100, Neil McGovern a écrit :
> This is a (semi) mass bug filing against your package as it embeds it's
> own copy of neon, rather than dynamically linking against the libneon26
> package.
>
> * Why is this important?
> It is important, as embedding copies of code, rather than linking
> against them creates a lot more work for the security team.
> * How was this discovered?
> It was discovered by running clamscan with a signature from the neon
> binaries against the entire archive.
> * But neon is openssl licenced, so I can't link againt it!
> Not any more :) Neon now produces a gnutls version under package name
> neon26 (libneon26-gnutls).
> * Is this RC?
> For etch, not by itself. It may be a release goal for etch+1. However,
> it's still important and will be considered when working out if your
> package can be supported by the security team.
I've already asked upstream about this problem (see the URL above), but
it is unfortunately not possible to link gnome-vfs to the system
libneon. The sources are slightly modified to use the gnome-vfs IO
layer, so I think to be fixed, it will require libneon to be able to use
an interchangeable IO layer.
--
Josselin Mouette /\./\
"Do you have any more insane proposals for me?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20061028/c71637f7/attachment.pgp
More information about the Pkg-gnome-maintainers
mailing list