2
# We want to avoid shipping GNOME 1.x components if possible
10
# Packages which are pulled in incidentally (typically by build-dependencies)
11
# and could be trivially replaced with something that we ship
13
# java-common build-depends
15
# various build-depends, pulls in lua, consider standarizing html->text
17
# could be removed by getting rid of CHILL, which nothing uses
19
# tcl8.3 and tcl8.4 is more than enough, consider dropping tcl8.3 too
21
# no one actually uses this anymore
23
# mdz, 2004-06-15: only pulled in by vim
28
# Packages which are not supportable from a security standpoint
31
## mdz: Packages noticed in 2004-06-14 review of germinate output
33
# We shall only ship current kernel-source
39
# results in lots of unwanted setuid-ness; modern stuff uses X or fb
41
# we ship server software with TLS built-in
47
## Packages which haven't shown up yet; make sure they don't sneak in
49
# mdz, 2004-06-14: many, many bugs and unmaintained (both debian and upstream)
51
# mdz, 2004-06-14: lots of unsafe string handling, CVE-2002-0789,
52
# CAN-2003-0436, CAN-2003-0437
54
# mdz, 2004-06-14: requires no explanation
56
# mdz, 2004-06-14: CAN-2003-0781, unmaintained upstream, Debian#210444
58
# mdz, 2004-06-14: lots of DoS and other badness, CAN-2003-0946, CAN-2004-0270,
61
# mdz, 2004-06-14: upstream deliberately obfuscates vulnerabilities
62
# mdz, 2004-06-20: CAN-2002-0757, CAN-2003-0101, SNS 74, SNS 75