Hi Paul, and thanks for your feedback! On Sat, 16 Jan 2016 22:28:50 +0800 Paul Wise <p...@debian.org> wrote: > On Fri, Jan 15, 2016 at 7:52 PM, Gard Spreemann wrote: > > > A search on codesearch.debian.net reveals that at least the following > > packages in Debian bundle duplicates of the code: > > - python-scipy (see also #778635) > > - vxl > > - nwchem > > - plastimatch > > - psi4 > > > > I believe that Debian should provide lbfgsb as a standalone library, > > as it is useful in its own right and its presence could lead to code > > deduplication in the future. > > Please report these to the Debian security team so they can record the > info in their metadata: > > https://wiki.debian.org/EmbeddedCodeCopies
I'm sorry, I seem to have spoken too soon. Most of these are the incompatible, older version 2 of L-BFGS-B. An exception is python-scipy, which really does bundle version 3 (with minor trivial patches). > > Note that upstream's tarball > > (http://users.iems.northwestern.edu/~nocedal/Software/Lbfgsb.3.0.tar.gz) > > contains a few prebuilt binaries, and is also a minor tarbomb. > > Ick, that is something that needs fixing upstream. I have now contacted upstream and notified them of some of these things, including prebuilt binaries, some metadata mess and some missing copyright notes.