[Secure-testing-team] embedded tiff in wx

[Ron]

Hi,

I see that tiff is marked as embedded in wx in the embedded-code-copies
list in svn ...

This seems like it should be a false positive to me.  wx does embed tiff
(and zlib and jpeg and ...) into its source releases, but we should not
be using any of those for the binary debs -- we force it to use the
system libraries for those things instead.

I can't totally exclude that some cut'n'paste cowboy upstream has pasted
something which shows up in a scan of the main body of wx code (they've
done much worse than that before), but I'm not presently aware of any
wholesale duplication of libtiff in the code that we are using from them.

These embedded libraries will get used if you build the mingw-cross
.debs -- but we don't build or distribute binaries for that, or provide
security support for that non-debian arch.


Anyhow if there is something I've missed, I'm definitely curious to know
what, and eager to fix it if we can.  Otherwise, if this is one less thing
that you'll need to worry about the next time tiff hits the fan, I'll be
delighted about that too ;)

I'm not on this list, so please cc if you need anything more from me ...

Cheers,
Ron