> Great. Can you share more details on the tooling you use? > > I also think that the file format likely needs an extension for this use > case. At present it basically maps a source package to other source > packages that include a copy of the former. It also includes an optional > version of when the copy ceases to exist. In particular, there is no way > to record when a copy was introduced. With more vendoring going on, that > aspect is becoming more important to keep the workload manageable.
Currently I've made a prototype utility dh_embedding, which as soon as I polish it, I plan to upload to salsa and make a post here. With this utility, Debian package developers will be able to easily (much like installing files with dh_install) specify a list of embedded files. The utility will add headers like: Embedded-Python: foo (1.0.1), bar (2.0.1). This way, answering the question "does any Debian package contain a vulnerable python package foo will be simple: just run grep ^Embedded-Python: Packages. Once I finish this and upload it, I plan to return to the mailing list and continue the discussion of this problem. -- . ''`. Dmitry E. Oboukhov <[email protected]> : :’ : <[email protected]> `. `~’ work: <[email protected]> `- 71ED ACFC 6801 0DD9 1AD1 9B86 8D1F 969A 08EE A756
signature.asc
Description: PGP signature
