"Dmitry E. Oboukhov" <[email protected]> writes: > Currently I've made a prototype utility dh_embedding, which as soon as I > polish it, I plan to upload to salsa and make a post here. With this > utility, Debian package developers will be able to easily (much like > installing files with dh_install) specify a list of embedded files. The > utility will add headers like: Embedded-Python: foo (1.0.1), bar > (2.0.1). This way, answering the question "does any Debian package > contain a vulnerable python package foo will be simple: just run grep > ^Embedded-Python: Packages. Once I finish this and upload it, I plan to > return to the mailing list and continue the discussion of this problem.
Thank you, so much, for starting a test implementation and seeing what happens! People are often reluctant to do this because there's no guarantee that the code ends up being used, but it is so helpful when evaluating proposals to be able to see concretely what the world might look like when the proposal is adopted. We get so much clarity out of having a rough implementation of the idea, and I really appreciate people willing to take the time to try ideas out that way. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
