I would like to improof security of debian packages by adding a lexical scanner (searching for all kinds of insecure commands and programming practices) into tools like lintian or the buildaemons.
A guy (John Viega <[EMAIL PROTECTED]>) allready has some of the features I would like to see in this scanner and he sure is good at what he is dooing. The problem is the license. Please find it attached to this mail. I contacted him about that and the problem are the lawyers of his company, of cause. We do not collide with the license if we use the program in the described way. But we would not be able to have it in main, rather in nonfree. Is it ok to use it in the debian-development process then? If we integrate it into the builddaemons (which are not packaged and distributed anyway, eventhough for different reasons) we would not even come close to distribute it. How does Debian handel such issues? Policy isn't so positv about this, I guess. Are there any earlier, similar cases? I am not on this list. please cc me.
