Source: restinio Severity: important Hi,
restino uses embedded code copies. This is against policy 4.13. The directory dev/* contains for example - catch2 - rapidjson - nodejs/http_parser There is also dev/restinio/third_party/zlib, which claims to be version 1.2.11, January 15th, 2017 This version might be suspectible to several security vulnerabilties. I've not checked if it is used, though. catch2 is declared as Build-Depends, but obviously not used: When removing catch2, the package FTBFS. Please use the packaged version whenever possible and to make sure that they are used, remove the embedded code copies before building, e.g in d/clean. (Alternatively, repackaging the source package, would be possible, as there is currently no upstream signature to verify) Cheers, tobi
