Dear Debian security-tracker list members,
When dealing with the new version of package qstardict [0][1], I
encountered some
embedded code about libqxt. According to [2], such situation need to
be documented
in the embedded-code-copies file.
Here's the reason: libqxt upstream is dead since ~2013 [4] and the
maintainer of libqxt
in Debian is working to remove it from Debian Archive. [5] This made
it impossible
for qstardict to use libqxt as external dependency. As libqxt upstream
suggested [4],
qstardict selected a small part of code and embedded them for some features they
provide. [6]
I have already reported the problem upstream [7]. However, I realized later that
complete removal of libqxt seems hard for upstream because that part
of code still
provide important features that cannot be replaced at the moment.
Accidentally, I found another package under my maintenance is also
using embedded
libqxt (package copyq) [8].
Then I found that there are much more embedded code snippets from libqxt spread
around Debian Archive [9]. This surely should be documented.
With current situation, I suggest we embed libqxt code into qstardict for now
and add the following placeholder entry in embedded-code-copies document:
libqxt (no longer developed since 2013)
- qstardict (embed)
- copyq (embed)
NOTE: embed small parts of source files
...and add all other packages that is using embedded libqxt later.
Thank you very much and please keep me in CC list.
--
Regards,
Boyuan Yang
[0] https://bugs.debian.org/07
[1] https://tracker.debian.org/pkg/qstardict
[2] https://wiki.debian.org/EmbeddedCodeCopies
[3]
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
[4] https://bitbucket.org/libqxt/libqxt/wiki/Home
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875027#10
[6] https://github.com/a-rodin/qstardict/tree/master/qxt
[7] https://github.com/a-rodin/qstardict/issues/16
[8] https://sources.debian.org/src/copyq/3.1.2-1/qxt/
[9] https://codesearch.debian.net/search?q=libqxt
