Package: zutils Version: 1.11-5, 1.12~pre2-1 Severity: serious Justification: Policy 10.1
Hi! This package has a massive size, as it's pointlessly statically built. Not only this violates a "must" requirement of the Policy, it also does so for no benefit at all: in the case libraries it's linked with would be subverted/corrupted, both the compressor and the actual tool invoked won't be able to run anyway. On the other hand, any security hole in any library the program links with potentially requires a recompile. Even glibc itself receives several CVEs per year; they are in functions you almost surely don't use but the binary doesn't provide this information anymore -- requiring the Security Team to analyze what is going on. That's why the Policy hates this seemingly minor issue so much. Meow! -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (120, 'experimental'), (1, 'experimental-debug') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.3-00017-g519775569157 (SMP w/64 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages zutils depends on: ii libc6 2.35-0experimental1 ii libgcc-s1 12.2.0-1 ii libstdc++6 12.2.0-1 Versions of packages zutils recommends: ii bzip2 1.0.8-5 ii lzip 1.23-4 ii xz-utils 5.2.5-2.1 ii zstd 1.5.2+dfsg-1 zutils suggests no packages. -- no debconf information
