Le dimanche 10 septembre 2023, 05:44:02 UTC Rene Engelhard a écrit : > severity 1051474 important > > thanks > > Hi, > > Am 08.09.23 um 19:19 schrieb Bastien Roucariès: > > Source: libreoffice > > Severity: serious > > Tags: security > > Justification: Document embdeded code copy + copyright > > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > Since when is that serious? It isn't. There have been no complains from > anyone in the security team in any of the last security updates?
I have reason to complain security wise > > (None of which affected any of the internal copies used,) > > The policy says "should". And it it it followed. > > The most stuff isn't used as internal code copies, only the unavoidable > ones is. And TTBOMK the security team DOES know it. Yes I know > > > Could you document that you embded a few tar ball under the security > tracker ? > > You mean I should send MRs to it? Yes I think so > > >Moreover you do not document where you downloaded these file a comment > under > > copyright will be helpful (README.source say how to retrieve it not the > > link to > > get). > > The fetch it manually and put it there. (Which normally would be done > from upstreams build systeem for ALL tarballs, even those not used..) > > (It basically always is https://dev-www.libreoffice.org/src/ (which > mirrors stuff they got from the website): :S I will really prefer that we download from upstream > > Makefile: $(call > fetch_Download_item_unchecked,https://download.documentfoundation.org/libreoffice/src/$(shell > > echo $(gb_LO_VER) | sed -e > "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/"),libreoffice-$(i)-$(gb_LO_VER).tar.xz)) > > > Regards, > > > Rene > >
signature.asc
Description: This is a digitally signed message part.