Dear Debian security-tracker list members,

When dealing with the new version of package qstardict [0][1], I
encountered some
embedded code about libqxt. According to [2], such situation need to
be documented
in the embedded-code-copies file.

Here's the reason: libqxt upstream is dead since ~2013 [4] and the
maintainer of libqxt
in Debian is working to remove it from Debian Archive. [5] This made
it impossible
for qstardict to use libqxt as external dependency. As libqxt upstream
suggested [4],
qstardict selected a small part of code and embedded them for some features they
provide. [6]

I have already reported the problem upstream [7]. However, I realized later that
complete removal of libqxt seems hard for upstream because that part
of code still
provide important features that cannot be replaced at the moment.

Accidentally, I found another package under my maintenance is also
using embedded
libqxt (package copyq) [8].

Then I found that there are much more embedded code snippets from libqxt spread
around Debian Archive [9]. This surely should be documented.

With current situation, I suggest we embed libqxt code into qstardict for now
and add the following placeholder entry in embedded-code-copies document:

 libqxt (no longer developed since 2013)
    - qstardict <unfixable>  (embed)
    - copyq <unfixable> (embed)
    NOTE: embed small parts of source files

...and add all other packages that is using embedded libqxt later.

Thank you very much and please keep me in CC list.

Boyuan Yang


Reply via email to