Hi On Wed, Feb 14, 2018 at 01:45:54AM +0800, Boyuan Yang wrote: > Dear Debian security-tracker list members, > > When dealing with the new version of package qstardict [0][1], I > encountered some > embedded code about libqxt. According to [2], such situation need to > be documented > in the embedded-code-copies file. > > Here's the reason: libqxt upstream is dead since ~2013 [4] and the > maintainer of libqxt > in Debian is working to remove it from Debian Archive. [5] This made > it impossible > for qstardict to use libqxt as external dependency. As libqxt upstream > suggested [4], > qstardict selected a small part of code and embedded them for some features > they > provide. [6] > > I have already reported the problem upstream [7]. However, I realized later > that > complete removal of libqxt seems hard for upstream because that part > of code still > provide important features that cannot be replaced at the moment. > > Accidentally, I found another package under my maintenance is also > using embedded > libqxt (package copyq) [8]. > > Then I found that there are much more embedded code snippets from libqxt > spread > around Debian Archive [9]. This surely should be documented. > > With current situation, I suggest we embed libqxt code into qstardict for now > and add the following placeholder entry in embedded-code-copies document: > > libqxt (no longer developed since 2013) > - qstardict <unfixable> (embed) > - copyq <unfixable> (embed) > NOTE: embed small parts of source files > > ...and add all other packages that is using embedded libqxt later.
Thank you. I have added a corresponding stanza to the embedded-code-copies file. Regards, Salvatore
