--- data/embedded-code-copies 2005/09/21 08:53:12 2068 +++ data/embedded-code-copies 2009/12/04 01:31:53 13445 @@ -1,98 +1,1441 @@ -This file collects cases, where a source package embeds code from -other projects, without linking dynamically: +Embedded code copies +==================== -xpdf code: (some use xpdf 2, some xpdf 3) -gpdf -pdftohtml -kdegraphics/kpdf -tetex-bin -cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though) -poppler - -zlib code: (separate between 1.2 and 1.1) -dpkg -rsync -mozilla-firefox -mozilla(?) -Linux kernels - - -libgadu/ekg: -centericq -gaim -kopete (ships the code, but links dynamically in the Debian package) -kadu (not packaged in Debian) -GNU gadu (not packaged in Debian) - - -xmlrpc: (which package is the "origin" of this code?) -drupal -phpgroupware -egroupware -phpwiki -php4 (php-pear, IIRC this was reorganized some weeks ago?) -tikiwiki (not packaged in Debian) - - -shtool: (affects build-time only) -mysql-ocaml -php4 - - -mozilla: -mozilla-firefox -mozilla-thunderbird -nvu - - -xli: -xloadimage - - -lesstif: (beware: two different lesstif APIs supported in one package, 1.2 discarded upstream) -openmotif -xfree86/xorg (in libxpm, still the case with x.org? - - -kerberized apps with BSD origin: -krb4 -krb5 -heimdal - - -grip: (which pkg is the origin?) -libcdaudio -grip -gnome-vfs (vfs2 as well?) - - -fudforum: -phpgroupware-fudforum -egroupware-fudforum - - -cvs: -gcvs (at least an additional script is included, check if there's more) - -pcre: -python -php4 (src included, but Debian package links dynamically) -analog (src included, but Debian package links dynamically) -libgoffice-1 -tf5 (since 5.0beta7 the Debian package links dynamically) - -tiff: -wxpythongtk (check, which debian pkg this is in) -older kdegraphics/kpdf releases < 3.3 embedded a copy - -uudeview: -libconvert-uulib-perl - -sqlite: (not affected by security vulnerabilities so far) -amarok - -uudeview: -libconvert-uulib-perl - -util-linux/mount: -loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb +This file collects source packages that embed code from other projects. +This is considered bad for fixing security flaws because the fix needs +to be applied in multiple source packages. + +Format: + () + - (; bug #) + NOTE: optional comments about the linkage of the embedding srcpkg + +status: version number fixing the embedded copy, , , + , , if the version number can not + be determined, or for unavoidable cases (e.g., forks + that add real value) +sort: static (linking statically against a lib) + embed (embedding a copy of the library into another source package) + fork (the package is not just embedding code but it is a fork and + thus might share parts of the source code) + old-version (the package is an older version of essentially + the same code) + +The srcpkg might be some string to identify the code if there is no +specific source package. + +Everything up to the next line is ignored. +---BEGIN +xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) + NOTE: Fixed packages link to poppler library unless otherwise noted + - pdftohtml + [sarge] - pdftohtml + [etch] - pdftohtml + NOTE: has been replaced by poppler-utils + - kdegraphics 4:4.2.2-1 (embed; bug #436164) + - texlive-base 3.0-12 (embed) + - texlive-bin 2007-1 (embed) + NOTE: links to poppler + - koffice (embed; bug #436163) + - libextractor 0.5.12-1 (embed) + NOTE: libextractor is using its own pdf decoder now + - ipe (embed) + NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp + - ruby-gnome2 (embed) + NOTE: copy only present in source but links to poppler + - pdfedit (embed; bug #510794) + - swftools (embed; bug #551293) + - poppler (fork) + +ppmd + - libcomplearn-mod-ppmd (fork) + NOTE: discussion in #458152 + +libevent + - transmission 1.71-1 (embed; bug #529372) + +lrmi + - read-edid 2.0.0-1 (embed; bug #495131) + +peercast + - gnome-peercast (embed) + [etch] - gnome-peercast (embed) + +silc-toolkit + - silc-client 1.1~beta6-1 (embed) + +icclib + - ghostscript (embed) + - argyll (embed) + +dietlibc + - ccontrol 0.9.1+20071204-1 (static) + +libmikmod + - sdl-mixer1.2 (embed) + TODO: report bug + +libiax + - iaxmodem (embed; bug #548885) + +spandsp + - iaxmodem (embed; bug #548885) + +zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions) + - dpkg (embed) + NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion + - rsync (embed) + NOTE: somehow derived code base + - mono (embed) + TODO: check mozilla + - Linux kernels (embed) + - pvpgn 1.7.8-2 (embed) + - mrtg 2.12.2-1 (embed) + - rpm (embed) + NOTE: pinged anibal since when rpm was fixed + - tuxcmd-modules (embed) + - zsync + - tra + - sash + - nsis + - mseide-msegui + NOTE: mseide + - mirrordir + - poco + - klibc + - ghostscript + - freeimage + - clamav (fork) + NOTE: from the changelog: "libclamav6 does indeed duplicate parts of the zlib code, but there is not way around that" + - tuxonice-userui + - plt-scheme + - perl + - paraview + - gcvs + - dump + - aide (static) + - dar (static) + - avfs + - fpc + - winff + NOTE: inherited from fpc, see #472304 + - lazarus + NOTE: inherited from fpc, see #472304 + - erlang (embed) + - gamera 3.2.3-1 (embed) + - python2.4 (embed; bug #553403) + - python2.5 (embed; bug #553403) + +dulwich + - hg-git 0.1.0-1 (embed; bug #541996) + +libvigraimpex + - hugin (embed; bug #542259) + - enblend-enfuse (embed; bug #542258) + - gamera 3.2.3-1 (embed) + +libbz2 + - dpkg (static) + +libgadu + - centericq (embed) + - pidgin (links dynamically since initial release; fixed in gaim) + - gaim 1:2.0.0+beta3-3 (embed; bug #360280) + - kdenetwork 4:3.3.2-5 (embed) + NOTE: from kdenetwork: kopete + - ekg 1:1.8~rc0-1 (embed) + - kadu 0.6.0.2-3 (embed; bug #504430) + - gadu (embed) + +xmlrpc (which package is the "origin" of this code?) + - drupal (embed) + - phpgroupware (embed) + - egroupware (embed) + - phpwiki (embed) + - php4 (embed) + TODO: check, php-pear, IIRC this was reorganized some weeks ago? + +shtool (affects build-time only) + - mysql-ocaml (embed) + - php4 (embed) + +iceape + - iceweasel (fork) + - icedove (fork) + - xulrunner (fork) + - kompozer (embed; bug #532168) + - galeon (fork) + - epiphany-browser (fork) + - conkeror (fork) + - kazehakase (fork) + +xli + - xloadimage (embed) + +lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) + - openmotif (embed) + - libxpm (embed) + +kerberized apps with BSD origin + - krb4 (embed) + - krb5 (embed) + - heimdal (embed) + +grip (which pkg is the origin?) + - libcdaudio + - grip + - gnome-vfs + TODO: check vfs2 as well + +fudforum + [etch] - phpgroupware (embed) + NOTE: phpgroupware-fudforum + [sarge] - egroupware-fudforum (embed) + +libbsd + - rdate 1:1.2-3 (embed) + - atheme-services + - libbsd-arc4random-perl + - isakmpd + +cvs + - gcvs (embed) + NOTE: see cvsunix/src in tarball + +pcre3 + - php4 (embed) + - analog 2:5.23-0woody1 (embed) + - goffice (embed) + NOTE: libgoffice-* + - vfu 4.06-4.1 (embed; bug #450754) + - tf5 5.0beta7-1 (embed) + - monotone 0.43-1 (embed) + NOTE: this only affects versions >= 0.37 + - glib2.0 2.15.2-1 (embed) + - apache2 2.0.53-4 (embed) + - exim4 4.10-0.srh20.12 (embed) + - yacas (embed) + NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway + - gtamsanalyzer.app 0.42-5 (embed) + - tin 980117-1 (embed) + - kazehakase 0.5.2-1 + - webkit 1.0.1-1 (embed) + - qt4-x11 (embed) + NOTE: embedded via webkit copy + - erlang (embed) + +tiff + - wxwindows2.4 2.2.1 (embed) + - gamera 3.2.3-1 (embed) + +uudeview + - libconvert-uulib-perl (embed) + - pan (embed) + +sqlite (not affected by security vulnerabilities so far) + - amarok (embed) + - monotone 0.43-1 (embed) + - iceweasel (embed) + +util-linux/mount + - loop-aes-utils (embed) + NOTE: contains code from util-linux' mount in the mount-aes-udeb + +sylpheed + - sylpheed-claws (fork) + +phpsysinfo + - egroupware (embed) + - phpgroupware (embed) + +phpldapadmin + [sarge] - egroupware (embed) + NOTE: removed from egroupware after sarge + +chmlib + - kchmviewer (embed) + +ffmpeg (libavcodec/libavformat) + - mplayer 1.0~rc2-14 (embed; bug #395252) + - kino 1.0.0-1 + - vlc (Links dynamically since initial release) + - smilutils 0.3.0-10 + NOTE: smilutils likely fixed earlier, marking Etch's version as fixed + - motion 3.1.19-1 + - gstreamer0.10-ffmpeg 0.10.3-2 + - xmovie (static) + TODO: gimp-gap (potentially using ffmpeg code as well) + - avifile 1:0.7.48~20090503.ds-1 (embed; bug #538750) + +faad2 + - mplayer 1.0~rc2-20 (embed) + - avifile (embed; bug #538750) + - ffmpeg-debian (old-version) + +libmad (MPEG decoding lib) + - xine-lib (embed) + - avifile 1:0.7.48~20090503.ds-1 (embed) [./plugins/libmad/*] + TODO: check ocaml-mad, madplay, pymad, xmms-mad, xmms2 + +libdts + - xine-lib (embed) + +flac + - xine-lib (embed) + +liba52 + - a52dec (embed) + - xine-lib (embed) + +libmpeg2 + - mpeg2dec (embed) + - xine-lib (embed) + +libntlm + - wget (fork; bug #550436) + - curl (fork; bug #550437) + - cntlm (fork; bug #550438) + +uw-imap + - pine (embed) + - alpine (embed) + +imagemagick + - graphicsmagick (fork) + +python-urlgrabber + - mercurial (embed; bug #531062) + - w3af (embed; bug #555372) + [experimental] - harvestman (embed; bug #555373) + +beautifulsoup + - python-mechanize (embed; bug #555349) + - zope2.11 (embed; bug #555350) + - twill (embed) + +halibut + - nsis (fork) + +libghttp + - hotway (embed) + +libsndfile + - ardour 1:2.7.1-1 (embed) + +glibmm2.4 + - ardour 1:2.7.1-1 (embed) + +libgnomecanvasmm2.6 + - ardour 1:2.7.1-1 (embed) + +libsigc++-2.0 + - ardour 1:2.7.1-1 (embed) + +soundtouch + - ardour 1:2.7.1-1 (embed) + +libmms + - xine-lib (embed) + - mimms (embed) + +fckeditor + - knowledgeroot 0.9.8.5-3 (embed; bug #461555) + - moin 1.8.2-2 (embed; bug #452599) + - karrigell (embed; bug #452598) + - gforge 4.6.99+svn6225-1 (embed) + - request-tracker3.8 (embed) + +ipatlas (not packaged in Debian) + - moodle (embed; bug #507185) + +libphp-phpmailer + - moodle (embed; bug #507185) + - mahara (embed) + - symfony (embed) + [etch] - phpgroupware (embed) + NOTE: phpgroupware-felamimail is only in etch + - egroupware (embed; bug #504283) + - glpi + +htmlArea (not packaged in Debian) + - moodle (embed) + +giflib + - wine (embed; bug #466181) + +bennu (not packaged in Debian, http://bennu.sourceforge.net) + - moodle (embed) + +smarty + - moodle 1.8.2-2 (embed; bug #471158) + - gallery2 2.2.5-2 (embed; bug #471160) + - mahara 0.9.2-2 (embed; bug #471201) + - gosa 2.4beta1-1 (embed; bug #471200) + +TinyMCE + - wordpress 2.5.1-3 (embed; bug #478257) + - moodle (embed; bug #507185) + - knowledgeroot (embed) + - joomla (bug #326398) + +scintilla (upstream provides static lib, rejected shared lib http://sf.net/support/tracker.php?aid=2488121) + - scite (embed) + - qscintilla (embed) + - qscintilla2 (embed) + - geany (fork) + - anjuta (embed) + +libphp-adodb + - moodle (embed; bug #507185) + NOTE: also AdoDB-XML Schema + - gallery2 (embed) + - phppgadmin (embed) + - egroupware (embed) + - phpwiki (embed) + - torrentflux 2.0beta1-2 (embed) + - ipplan (embed) + - typo3-src (embed) + - cacti (embed) + [sarge] - cacti (embed) + NOTE: dependency exists, but internal version is used + - gforge 4.7~rc2-6 (embed) + - mahara (embed) + +gzip + - linux-kernel (embed) + NOTE: lib/inflate.c + - klibc (embed) + NOTE: based on linux-kernel gzip code + - busybox (embed) + +neon + - cadaver 0.22.3+debian-1 (embed; bug #188381) + - gnome-vfs2 (embed; bug #395874) + [etch] - litmus (embed; #395875) + - litmus (embed; #395875) + [sarge] - screem (embed) + - sitecopy 1:0.16.3-5 (embed; bug #395876) + [etch] - tla (embed; bug #395877) + [sarge] - tla (embed; bug #395877) + +libmodplug + - gst-plugins-bad0.10 (embed) + +libvncserver + - vino (embed) + +putty + - filezilla (embed) + +tinyxml (not packaged in Debian) + - filezilla + +gv + - evince (embed) + NOTE: ps/ tree from gv 3.5.8 + NOTE: evince-gtk is affected (a component of evince source package) + +libXbae + - paw (embed) + [etch] - paw (embed) + +libgtkhtml + - claws-mail-extra-plugins (fork) + +libXaw + - paw (embed) + [etch] - paw (embed) + NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty + +libgd2 + - graphviz (embed) + NOTE: lib/gd seems to be 2.0.33 + - wml (embed) + - libwmf (embed) + NOTE: derived from gd 1.6.3 + +rar + - unrar-nonfree (embed) + +unrar-free (maybe this code is derived from the original rar, too?) + - clamav (embed) + NOTE: seems to be disabled in default config + +mplayer (DirectMedia Object loader) + - xine-lib (embed) + NOTE: src/libw32dll/ + - vlc (embed) + NOTE: modules/codec/dmo/ + - mplayer 1.0~rc2-20 (embed) + +libwpd (WordPerfect converter) + - openoffice.org (embed) + +fsplib (http://sourceforge.net/projects/fsp/) + - gftp (embed) + NOTE: lib/fsplib version 0.3 + +sprng + - tree-puzzle (embed) + +librpcsecgss + - krb5 (embed) + +jasper + - ghostscript (embed) + - gs-gpl (embed) + +libiris + - psi (embed) + - kdenetwork (embed) + NOTE: kopete embeds libiris but links dynamically to libidn + - kdegames (embed) + NOTE: ksirk/kde4 + +libidn + - monotone 0.43-1 (embed) + - psi (embed) + NOTE: psi embeds libiris which embeds libidn + - kdegames (embed) + NOTE: kdegames/kde4 embeds libiris which embeds libidn + +liblua + - monotone 0.43-1 (embed) + - nmap 5.00-1 (embed; bug #527997) + [lenny] - nmap (embed; bug #527997) + - ocropus (embed) + +libbotan + - monotone 0.43-1 (embed) + +NetXX + - monotone 0.43-1 (embed) + +libgc + - mono (embed) + +lzma + - p7zip (embed) + - xz-utils (fork) + +lzo + - grub2 (embed) + +yassl + - mysql-dfsg-5.0 (embed) + +pax code + - tar (embed) + - cpio (embed) + +t1lib + - tetex-bin 2.0.2-1 (embed) + - texlive-bin (embed) + +guichan + - boswars (embed) + NOTE: maintainer notified us, working on it + +tolua + - boswars (embed) + NOTE: maintainer notified us, working on it + - ocropus (embed) + - freeciv (embed) + +asio-dev + - luxrender (embed) + +xine-lib + - vlc (embed) + NOTE: only parts included in modules/access/rtsp + +netpbm + - tcl8.3 (embed) + - tcl8.4 (embed) + - tcl8.5 (embed) + NOTE: generic/tkImgGIF.c + +tk8.5 + - tk8.0 (old-version) + - tk8.3 (old-version) + - tk8.4 (old-version) + - perl-tk (fork) + +samba + - mc 2:4.6.2~git20080311-1 (embed) + NOTE: maintainer is aware of this, currently searching a solution + +plib1.8.4c2 + - boson (fork) + NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar + +fribidi + - quesoglc (embed) + NOTE: compiled against system fribidi in Debian - embed only used when fribidi is not available on the system + +glew + - quesoglc (embed; bug #489341) + NOTE: waiting on GLEW_MX version of glew (see bug #474488) + - trigger (embed) + NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html + - trigger-rally (embed) + NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html + +minorGems (pabs contacted upstream about shared lib, he considers minorGems an 'ever-evolving collection of reusable code fragments' for his own use) + - transcend (embed) + - cultivation (embed) + - passage (embed) + - gravitation (embed) + +tar + - libarchive (embed) + NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable + +cpio + - libarchive (embed) + NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package) + +webkit + - qt4-x11 (embed) + +ftgl + - blender 2.46+dfsg-1 (embed) + +wv + - abiword + +qemu + - kvm (embed; bug #543159) + - xen-3 (embed) + - xen-unstable (embed) + +vgabios + - kvm (embed; bug #489442) + +bochs + - kvm (embed; bug #489442) + +speex + - vorbis-tools (embed) + NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c + - gst-plugins-good0.10 (embed) + - xine-lib (embed) + - libfishsound (embed) + - libannodex (embed) + - vlc (embed) + - xmms-speex (embed) + - libsdl-sound1.2 (embed) + - sweep (embed) + +libreadline + - magic (old-version) + +opcode + - ode (embed) + NOTE: opcode is not a package in debian, it is just embedded + NOTE: http://www.codercorner.com/Opcode.htm + +gimpact + - ode (embed) + NOTE: gimpact is not a package in debian, it is just embedded + NOTE: http://gimpact.sf.net + +mochikit + - mahara (embed) + NOTE: they require extra patches, still unmerged upstream + - ntop (embed) + - coherence 0.6.2-1 (embed) + - paste (embed) + - turbogears (embed) + - plone3 (embed) + - xulrunner (embed) + - libjifty-plugin-chart-perl (embed) + - sabnzbdplus (embed) + - tgmochikit (embed) + +prototypejs + - netbeans-ide 6.0.1+dfsg-2 (embed) + - auth2db 0.2.5-2+dfsg-1 (embed; bug #555218) + - webcit (embed; bug #555219) + - asterisk 1:1.6.2.0~rc3-1 (embed) + - libjson-ruby 1.1.4-1 (embed; bug #555224) + - lucene2 2.9.1+ds1-2 (embed; bug #555226) + - horde3 (embed) + - knowledgeroot (embed; bug #555230) + - mediatomb (embed; bug #555233) + - mt-daapd 0.9~r1696.dfsg-6lenny2 (embed) + - ebug-http (embed; bug #555236) + - phpgedview (embed) + - poker-network (embed; bug #555238) + - rails 2.1.0-6 (embed) + - wordpress 2.5.0-2 (embed; bug #555243) + - zope (the prototypejs embed is not in any of the obvious zope packages, e.g. zope2.9, zope2.10, zope2.11, and zope3) + TODO: search through all of the other zope packages + - ampache 3.4.1-2 (embed) + - exaile 0.2.14+debian-2.1 (embed; bug #555245) + - hobix 0.5~svn20070319-4 (embed; bug #555247) + - zabbix 1.6.6-4 (embed; bug #555250) + - chora2 (embed; bug #555253) + - gollem (embed; bug # 555254) + - jscropperui 1.2.1-1 (embed; bug #555257) + - scriptaculous (uses system prototype.js since initial upload; bug #555260) + - ingo1 (embed; bug #555261) + - kronolith2 (embed; bug #555262) + - activeldap (embed) + - libv8 (contains a google-specific implementation of prototype.js) + - mantis (embed; bug #555265) + - otrs2 2.3.4-6 (embed; bug #555267) + - webcalendar (embed; bug #555269) + - redmine 0.9.0~svn2907-1 (embed; bug #555270) + - jifty 0.90519-1 (embed; bug #555271) + - jquery (embed; bug #555272) + - passenger 2.2.5debian1-1 (embed; bug #555273) + - plone3 (embed; bug #555275) + - wesnoth (prototype.js not included in any of the binary packages; bug #555277) + - libhtml-prototype-perl 1.48-3 (embed; bug #538920) + - xulrunner (embed) + NOTE: included in iceweasel/xulrunner unit tests directory, so may not be security-relevant + +gdb + - insight (embed) + +e2fsprogs + - ldiskfsprogs (fork) + +quazip (not packaged in Debian) + - qcake (embed) + NOTE: starting with upstream version 0.6.4 + +exo + - pcmanfm (embed; bug #499677) + NOTE: slightly modified source code + +java + - openjdk-6 + - sun-java5 + - sun-java6 + +libphp-snoopy + - ampache 3.4.1-2 (embed; bug #504169) + - gforge 4.6.99+svn6094-2 (embed) + - mahara 1.0.5-2 (embed; bug #504170) + - pixelpost 1.7.1-5 (embed; bug #504171) + - mediamate 0.9.3.6-5 (embed; bug #504172) + - opendb (embed; bug #504173) + [etch] - opendb (embed; bug #504173) + - wordpress 2.5.1-9 (embed; bug #443948) + - moodle (embed; bug #507185) + [etch] - phpgroupware (embed) + NOTE: phpgroupware-felamimail + - magpierss 0.72-3 (embed; bug #431089) + +jquery + - zekr (embed) + - wordpress (embed) + - yocto-reader (embed) + - textpattern (embed) + - genshi 0.5.1-1 (embed) + NOTE: compressed file under examples/ dir + - prewikka (embed) + - libramaze-ruby (embed) + - drupal5 (embed) + - b2evolution (embed) + - wesnoth (embed) + +tablesorter (jquery plugin, not packaged yet) + - wesnoth (embed) + +kses + - wordpress (embed; bug #504242) + NOTE: their copy has all methods renamed to wp_ + NOTE: kses isn't in Debian, RFP: #504240 + - moodle (embed; bug #507185) + - egroupware (embed) + +magpierss + - wordpress (embed; bug #504242) + - moodle + +php-gettext + - wordpress 2.8.4-1 (embed; bug #504242) + +libphp-ixr (name may change, it is the Incutio XML-RPC) + - wordpress (embed; bug #504242) + NOTE: libphp-ixr isn't in Debian, RFP: #504236 + - dokuwiki (embed) + - textpattern (embed) + +libphp-cas + - glpi (embed) + - moodle (embed; bug #505984) + +scriptaculous (prototype.js is among the embeds in the following) + - glpi (embed) + - libaws (embed; bug #555222) + - op-panel (embed) + - symfony (embed) + NOTE: maintainer says there are extra incompatible changes required + - pixelpost 1.7.1-6 (embed) + - webhelpers (embed) + - qwik (embed; bug #555241) + - smokeping (embed) + - turba2 (embed) + - typo3-src 4.2.3-1 (embed) + - request-tracker3.6 (embed) + - request-tracker3.8 (embed) + - rt-extension-emailcompletion (prototype.js not included in the binary package) + - wordpress 2.5.0-2 (embed) + - libhtml-prototype-perl 1.48-3 (embed) + +libmarkdown-php + - moodle (embed; bug #507185) + - pixelpost 1.7.1-6 (embed) + +php-openid + - wordpress-openid (embed) + +geshi + - dokuwiki 0.0.20080505-3.1 (embed) + - pgfouine 1.0-1.1 (embed) + - websvn 2.1.0-1 (embed) + +webcalendar + - gforge 4.7~rc2-6 (embed; bug #504758) + +libical + - kdepim (fork) + - kdepimlibs (fork) + NOTE: fixed in KDE4 post 4.1.x series + - claws-mail-extra-plugins (fork) + +libltdl3 + - kdelibs (embed) + NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it + - synfig (embed) + +harfbuzz + - qt4-x11 (embed) + +libzip + - php5 (fork) + - odt2txt (embed; bug #523808) + +json.php (not packaged; should be replaced with php's built-in functions) + - moodle + - yui + - gallery2 + - dokuwiki + - typo3-src + +php-fpdf + - tcpdf (fork) + - moodle + - phpwiki + - egroupware + - ldap-account-manager (fork) + +tcpdf (itp: #495985) + - moodle + - phpmyadmin + +typo3 + - moodle + +spreadsheet_writeexcel (PHP port of libspreadsheet-writeexcel-perl; itp: #487557) + - moodle + - gosa + +php-ole (itp: #487558) + - moodle + +pieforms (http://www.catalyst.net.nz) + - mahara + +savant2 (http://phpsavant.com) + - egroupware + +rssparser (http://nwow.org) + - egroupware + - phpgroupware + +lcms + - openjdk-6 (fork) + +libphp-phplayersmenu + - diogenes + - phpldapadmin + +libphp-pclzip + - docvert + - moodle + - egroupware + +libphp-simplepie + - dokuwiki + +libphp-jpgraph + - egroupware + +php-simpletest + - moodle + +libpng + - iceweasel (uses xulrunner) + - icedove 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1, 2.0.0.19-1 (embed) + - iceape 1.0.13~pre080614i-0etch1 (embed) + - xulrunner 1.9.0.13-1 (embed) + [lenny] - xulrunner 1.9.0.11-0lenny1 + [etch] - xulrunner 1.8.0.15~pre080614i-0etch1 (embed) + - gamera 3.2.3-1 (embed) + +irssi + - silc-client (embed) + NOTE: Seems to be a pre-0.8.12 version that is used in irssi-plugin-silc + +extc + - mtasc (embed) + - haxe (embed) + +swflib + - mtasc (embed) + - haxe (embed) + +libitext-java + - bouncycastle 2.1.4-1 (embed) + +python-ply + - pyke (embed; bug #555363) + - pywbem (embed; bug #555364) + - sepolgen (embed; bug #555365) + - zope-textindexng3 (embed) + - iceweasel (uses xulrunner) + - xulrunner (embed) + - wireshark (python-ply modules are not installed into binary packages; see #554613) + +libdumbnet (libdnet upstream) + - nmap (fork) + +gcc-4.4 + - gcc-mingw32 (embed) + +camlimages + - advi (static; bug #550441) + +memcached + - memcachedb (embed) + +yajl + - argyll (embed; bug #544223) + NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html + +nusoap + - gforge 4.8.2-1 (embed) + +libept + - adept (embed; bug #540649) + +libvorbis + - iceweasel (uses xulrunner) + - xulrunner (embed; bug #540959) + [etch] - xulrunner (introduced in firefox 3.5) + [lenny] - xulrunner (introduced in firefox 3.5) + - iceape (embed) + [etch] - iceape (introduced in 2.0) + [lenny] - iceape (introduced in 2.0) + +cairo + - iceweasel (uses xulrunner) + - xulrunner 1.8.0.15~pre080614i-0etch1 (embed) + +liboggz + - iceweasel (uses xulrunner) + - xulrunner (embed; bug #540959) + [etch] - xulrunner (introduced in firefox 3.5) + [lenny] - xulrunner (introduced in firefox 3.5) + - iceape (embed) + [etch] - iceape (introduced in 2.0) + [lenny] - iceape (introduced in 2.0) + +liboggplay + - iceweasel (uses xulrunner) + - xulrunner (embed; bug #540959) + [etch] - xulrunner (introduced in firefox 3.5) + [lenny] - xulrunner (introduced in firefox 3.5) + - iceape (embed) + [etch] - iceape (introduced in 2.0) + [lenny] - iceape (introduced in 2.0) + +php-net-dnsbl + - serendipity (embed) + +php-onyx-rss + - serendipity (embed) + +php-text-wiki + - serendipity (embed) + +php-xml-rpc + - serendipity (embed) + +polarssl (does not have a shared library) + - pdkim (embed; bug #543150) + - xyssl (old-version) + +pidgin + - gaim (old-version) + +icu + - webkit 1.0.1-1 (embed; bug #547214) + - texlive-bin (fork) + NOTE: texlive upstream working with icu upstream to merge their changes + +cyrus-imapd-2.2 + - kolab-cyrus-imapd (fork) + - dovecot 1:1.2.1-1 (embed) [/dovecot-sieve/src/libsieve/*] + +python-cxx-dev + - freecad (embed; bug #547936) + +libzipios++-dev + - freecad (embed; bug #547941) + +linux-2.6 + - kvm (embed; bug #549973) [./kernel/*] + - linux-kbuild-2.6 (embed; bug #550379) [./kbuild/*] + - kernel-source-2.6.8 (old-version) + - kernel-source-2.4.27 (old-version) + - kernel-source-2.4.24 (old-version) + - kernel-source-2.2.25 (old-version) + - kernel-source-2.2.20 (old-version) + +libfdt (not yet packaged separately for debian; http://www.jdl.com/software/) + - kvm (embed) [./libfdt/*] + +qweb (not packaged) + - ajaxterm + +opensaml2 + - opensaml (old-version) + +shibboleth-sp2 + - shibboleth-sp (old-version) + +tuxonice-userui + - suspend2-userui (old-version) + +expat + - w3c-libwww (embed; bug #551941) + [etch] - w3c-libwww (embed; bug #551941) [./modules/expat/*] + - python-xml (embed; bug #551940) [./extensions/expat/*] + - python2.5 (embed; bug #553403) [./Modules/expat/*] + - python2.4 (embed; bug #553403) + - wxwindows2.4 (embed) + - wxwidgets2.6 (embed) + - wxwidgets2.8 (embed) + - celementtree (embed) + - audacity (embed) + - matanza (embed) + - tdom (embed) + - udunits (embed) + - apr-util 1.2 (embed) + - ayttm (embed) + - cableswig (embed) + - cadaver (embed) + - cmake (embed) + - coin3 (embed) + - gdcm (embed) + - ghostscript (embed) + - grmonitor (embed) + - iceape (embed) + - insighttoolkit (embed) + - libparagui1.1 (embed) + - paraview (embed) + - poco (embed) + - simgear (embed) + - sitecopy (embed) + - smart 1.0-1 (embed) + [etch] - smart (embed) + - swish-e (embed) + - tla (embed) + - vtk (embed) + - wbxml2 (embed) + - xmlrpc-c (embed) + - iceweasel (embed) + - kompozer (embed) + - vxl (embed) + - xulrunner (embed) + - apache2 2.2 (embed) + - texlive-bin (embed) [included twice] + - vnc4 (embed) + - xotcl (embed) + +xerces-c + - xerces-c2 (old-version) + - xerces27 (old-version) + +md5 (RSA's version; not the gnu version provided by coreutils) + - w3c-libwww (embed; bug #551942) + [etch] - w3c-libwww (embed; bug #551942) [./modules/md5/*] + +enet + - sauerbraten (embed; #497194) + +eglibc + - glibc (old-version) + +galib + - gamera 3.2.3-1 (embed) + +configobj + - bzr (embed; bug #555336) + - elisa (embed; bug #555337) + - gaupol (embed; bug #555338) + - ipython (embed; bug #555339) + - pida (embed; bug #555340) + - psychopy (embed; bug #555341) + - rest2web (embed; bug #555342) + - auth2db (embed) + - dynagen (embed) + - iceweasel (embed) + - sabnzbdplus (embed) + - xulrunner (embed) + - nipy (part of an example [/examples/neurospin/neurospy/configobj.py], which is not installed into binary packages) + +python-clientform + - bibus (embed; bug #555332) + - zope2.10 (embed; bug #555333) + - zope2.11 (embed; bug #555334) + - python-mechanize (embed) + - twill (embed) + +python-mechanize + - zope2.10 (embed; bug #555337) + - zope2.11 (embed; bug #555338) + - twill (embed; bug #555339) + +pexpect + - duplicity 0.6.06-1 (embed; bug #555361) + - hplip (embed; bug #555362) + - smart (embed; bug #555363) + +pyparsing + - bauble (embed; bug #555366) + - boa-constructor 0.6.1-8 (embed; bug #555367) + - calibre (embed; bug #555368) + - matplotlib (embed; bug #531024) + - zhpy (embed; bug #555370) + - polybori (embed) + - python-whoosh (embed) + - twill (embed) + - zope-textindexng3 (embed) + +python-pysqlite2 + - python2.4 (embed; bug #553403) + - python2.5 (embed; bug #553403) + +celementtree + - python2.5 (embed) + - smart 1.0-1 (embed) + [etch] - smart (embed) + +elementtree + - python2.5 (embed) + - bzr (embed; bug #555343) + - gedit 2.28.2-1 (embed; bug #555344) + - smart 1.0-1 (embed) + [etch] - smart (embed) + - solfege (embed; bug #555345) + - w3af (embed; bug #555346) + - python-qt4 (embed) + - sphinx (embed) + - python-nltk (embed) + +python2.5 + - python2.4 (old-version) + - jython (embed) + NOTE: embeds many stdlib modules + - python-django (embed; bug #555419) + NOTE: embeds stdlib modules: doctest, decimal + - gamera 3.2.3-1 (embed) + NOTE: embeds stdlib modules: ConfigParser, optparse, sets, textwrap + - boa-constructor (embed; bug #555426) + NOTE: embeds stdlib modules: ConfigParser, tarfile, zipfile, xmlrpclib + - nicotine (embed; bug #555427) + NOTE: embeds stdlib modules: ConfigParser + - museek+ (embed; bug #555428) + NOTE: embeds stdlib modules: ConfigParser + - vegastrike-data (embed) + NOTE: embeds many stdlib modules + - codespeak-lib 1.1.1-1 (embed; bug #555420) + NOTE: embeds stdlib modules: doctest, optparse, subprocess, textwrap + - config-manager (embed; bug #555423) + NOTE: embeds stdlib modules: optparse + - jhbuild 2.28.0-1 (embed; bug #555421) + NOTE: embeds stdlib modules: optparse, subprocess + - smart (embed; bug #555432) + NOTE: embeds stdlib modules: optparse + - pyprotocols 1.0a.svn20070625-5 (embed; bug #555433) + NOTE: embeds stdlib modules: doctest + - ruledispatch 0.5a.svn20080510-4 (embed; bug #555434) + NOTE: embeds stdlib modules: doctest + - distribute (embed) + NOTE: embeds stdlib modules: doctest + - python-setuptools (embed; bug #555435) + NOTE: embeds stdlib modules: doctest + - zope.testing (embed; bug #555436) + NOTE: embeds stdlib modules: doctest + - translate-toolkit (embed; bug #555422) + NOTE: embeds stdlib modules: textwrap, contextlib + - libtpclient-py (embed; bug #555424) + NOTE: embeds stdlib modules: subprocess + - grass (embed; bug #555425) + NOTE: embeds stdlib modules: subprocess + - coherence (embed; bug #555429) + NOTE: embeds stdlib modules: uuid + - python-django-extensions 0.4.2pre+git200911182050-1 (embed; bug #555430) + NOTE: embeds stdlib modules: uuid + - setroubleshoot (embed; bug #555431) + NOTE: embeds stdlib modules: uuid + - linkchecker (embed; bug #555414) + NOTE: embeds msgfmt.py script + - imdbpy (embed) + NOTE: embeds msgfmt.py script + - kiwi (embed) + NOTE: embeds msgfmt.py script + - moin (embed) + NOTE: embeds msgfmt.py script, stdlib modules: cgitb, difflib, tarfile + - plone3 (embed) + NOTE: embeds msgfmt.py script + - roundup (embed) + NOTE: embeds msgfmt.py script, stdlib modules: cgitb + - rednotebook (embed; bug #555415) + NOTE: embeds msgfmt.py script + - turbogears (embed) + NOTE: embeds msgfmt.py script + - elisa (embed) + NOTE: embeds msgfmt.py script, stdlib modules: uuid + - calibre (embed) + NOTE: embeds msgfmt.py script, stdlib modules: zipfile + - mailman (embed; #555416) + NOTE: embeds msgfmt.py script + - python-docutils (embed) + NOTE: embeds stdlib modules: optparse, textwrap + - python-imaging (embed) + NOTE: embeds stdlib modules: doctest + - python-mechanize (embed) + NOTE: embeds stdlib modules: doctest + - twill (embed) + NOTE: embeds stdlib modules: subprocess + - zeroc-ice (embed) + NOTE: embeds stdlib modules: subprocess + - wxwidgets2.8 (embed) + NOTE: embeds stdlib modules: subprocess + - cycle (embed) + NOTE: embeds msgfmt.py script + - deluge (embed) + NOTE: embeds msgfmt.py script + - opendict (embed) + NOTE: embeds msgfmt.py script + - openerp-client (embed) + NOTE: embeds msgfmt.py script + - rapidsvn (embed) + NOTE: embeds msgfmt.py script + - wammu (embed) + NOTE: embeds msgfmt.py script + - gaphor (embed) + NOTE: embeds msgfmt.py script + - pida (embed) + NOTE: embeds msgfmt.py script + - python-formencode (embed) + NOTE: embeds msgfmt.py script + - duplicity (embed) + NOTE: embeds stdlib module: urlparse, tarfile + - pygopherd (embed) + NOTE: embeds stdlib module: zipfile + +argparse + - twill (embed; bug #555347) + - ipython (embed; bug #555348) + +coherence + - elisa (embed; bug #555335) + +simpletal + - plastex (embed; bug #555371) + +flickrpc (not packaged in Debian, http://burtonini.com/bzr/flickrpc/) + - postr (embed) + - elisa (embed) + +simplegeneric (not packaged in Debian, http://pypi.python.org/pypi/simplegeneric) + - apertium-tolk (embed) + - ipython (embed) + - virtaal (embed) + +distribute + - setuptools (old-version) + +rails + - jruby1.2 (embed) [./bench/rails/*] + - libgettext-ruby (embed) [./samples/rails/*] + - libopenid-ruby (embed) [./examples/rails_openid/*] + - thin (embed) [./spec/rails_app/*] + NOTE: this is a subdirectory of examples, which in general is a non-issue, but may + NOTE: be dangerous if developers are naively basing their code off of the examples + NOTE: prototype.js is among the example files + +lucene2 (prototype.js is among the embeds in the following) + - lucene (old-version) + - pylucene (embed) + - libpdfbox-java (embed) + - libfontbox-java (embed) + - libjempbox-java (embed) + - solr (embed) + +unicode-data + - syslinux (embed) + - camomile (embed) + - fribidi (embed) + - m17n-db (embed) + - sbcl (embed) + - heimdal (embed) + - icu (embed) + - icu4j (embed) + - krb5 (embed) + - moodle (embed) + - openldap (embed) + - pike7.6 (embed) + - samba (embed) + - samba4 (embed) + - cmucl (embed) + - typo3-src (embed) + - mauve (embed) + - texlive-bin (embed) + - ypsilon (embed) + - jeuclid (embed) + - charmap.app (embed) + - clisp (embed) + - gnulib (embed) + - opensrs-client (embed) + - saxonb (embed) + - rails (embed) + +feedparser + - rawdog (embed; bug #383422) + - miro (embed; bug #555351) + - calibre (embed; bug #555352) + - freevo (embed; bug #555353) + - pida (embed; bug #555354) + - planet-venus (embed; bug #555355) + - plone3 (embed; bug #555356) + - exaile 0.2.14+debian-1 (embed) + - screenlets 0.1.2-3 (embed) + NOTE: included twice + +agg: + - matplotlib (embed: bug #377271) + - contextfree (embed) + NOTE: since 2.2-1 it links statically to system libagg, but still uses the embedded copy + - exactimage (embed) + - python-enable (embed) + - mapnik 0.5.1-3 (embed) + NOTE: links statically to agg, but shared library is not available (bug #377271) + +vtk + - paraview (embed; bug #495426) + +txt2tags + - rednotebook (embed) + +htmltextview (not packaged in Debian, http://www.gnome.org/~gjc/htmltextview.py) + - gajim (embed) + - emesene (embed) + - convirt (embed) + - pida (embed) + - rednotebook (embed) + +horde3 (prototype.js is among the embeds in the following) + - mnemo2 (embed) + - nag2 (embed) + +cimg + - gmic (embed) + +mootools + - gmic (embed) + +openldap + - openldap2.3 (old-version) + +grub2 + - grub (old-version) + +gnupginterface + - duplicity (embed) + +python-dateutil + - awn-extras-applets (embed) + - matplotlib (embed) + +cups + - cupsys (old-version) + +yui + - bcfg2 (present in source but not included in any binary files) + - serendipity (embed; bug #557746) + - moodle 1.8.2.dfsg-5 (embed) + - jifty (embed; bug #557748) + - webgui 7.7.26-1 (embed) + - loggerhead 1.17-1 (embed) + +quake3 (vanilla source not packaged in debian) + - openarena (fork) + +quake2 (vanilla source not packaged in debian) + - alien-arena (fork) + - warsow (fork) + +libtheora + - iceweasel (uses xulrunner) + - xulrunner (embed; bug #540959) + [etch] - xulrunner (introduced in firefox 3.5) + [lenny] - xulrunner (introduced in firefox 3.5) + - iceape (embed; bug #559276) + [etch] - iceape (introduced in iceape 2.0) + [lenny] - iceape (introduced in iceape 2.0) + +dtoa + - bfilter (embed) + - cacao (embed) + - cdrdao (embed) + - classpath (embed) + - freej (embed) + - iceape (embed) + - iceweasel (embed) + - jscoverage (embed) + - kde4libs (embed) + - kdelibs (embed) + - kompozer (embed) + - libv8 (embed) + - mono (embed) + - newlib (embed) + - nspr (embed) + - php5 (embed) + - polyml (embed) + - qt4-x11 (embed) + - rhino (embed) + NOTE: code translated to Java + - ruby1.8 (embed) + - ruby1.9 (embed) + - ruby1.9.1 (embed) + - sdd (embed) + - sfind (embed) + - star (embed) + - tinymux (embed) + - virtualbox-ose (embed) + - webkit (embed) + - xulrunner (embed) + +ipc (not packaged in Debian; see http://mozdev.org/pipermail/enigmail/2009-November/011678.html) + - firegpg (embed) + - enigmail (embed)