This file collects cases, where a source package embeds code from
other projects, without linking dynamically:

xpdf code: (some use xpdf 2, some xpdf 3)
gpdf
pdftohtml
kdegraphics/kpdf
tetex-bin
cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)
poppler

zlib code: (separate between 1.2 and 1.1)
dpkg
rsync
mozilla-firefox
mozilla(?)
Linux kernels


libgadu/ekg:
centericq
gaim
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not packaged in Debian)


xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)
tikiwiki (not packaged in Debian)


shtool: (affects build-time only)
mysql-ocaml
php4 


mozilla:
mozilla-firefox
mozilla-thunderbird
nvu


xli:
xloadimage


lesstif: (beware: two different lesstif APIs supported in one package, 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm, still the case with x.org?


kerberized apps with BSD origin:
krb4
krb5
heimdal


grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)


fudforum:
phpgroupware-fudforum
egroupware-fudforum


cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
python
php4 (src included, but Debian package links dynamically)


tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok

uudeview:
libconvert-uulib-perl