Hi

On Wed, Feb 14, 2018 at 01:45:54AM +0800, Boyuan Yang wrote:
> Dear Debian security-tracker list members,
> 
> When dealing with the new version of package qstardict [0][1], I
> encountered some
> embedded code about libqxt. According to [2], such situation need to
> be documented
> in the embedded-code-copies file.
> 
> Here's the reason: libqxt upstream is dead since ~2013 [4] and the
> maintainer of libqxt
> in Debian is working to remove it from Debian Archive. [5] This made
> it impossible
> for qstardict to use libqxt as external dependency. As libqxt upstream
> suggested [4],
> qstardict selected a small part of code and embedded them for some features 
> they
> provide. [6]
> 
> I have already reported the problem upstream [7]. However, I realized later 
> that
> complete removal of libqxt seems hard for upstream because that part
> of code still
> provide important features that cannot be replaced at the moment.
> 
> Accidentally, I found another package under my maintenance is also
> using embedded
> libqxt (package copyq) [8].
> 
> Then I found that there are much more embedded code snippets from libqxt 
> spread
> around Debian Archive [9]. This surely should be documented.
> 
> With current situation, I suggest we embed libqxt code into qstardict for now
> and add the following placeholder entry in embedded-code-copies document:
> 
>  libqxt (no longer developed since 2013)
>     - qstardict <unfixable>  (embed)
>     - copyq <unfixable> (embed)
>     NOTE: embed small parts of source files
> 
> ...and add all other packages that is using embedded libqxt later.

Thank you. I have added a corresponding stanza to the
embedded-code-copies file.

Regards,
Salvatore

Reply via email to