It includes zlib, libpng and expat at least: adler32 /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/adb adler32 /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/emulator XML_Parse /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/aapt png_get_libpng_ver /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/aapt png_get_libpng_ver /var/tmp/portage/dev-util/android-sdk-1.0_p2/image/opt/android-sdk-1.0/tools/emulator I'd suspsect more too, considering I see sqlite3 command in the tools/ directory being stripped, and libswt pre-stripped.
Yes, some of the binaries are linked against few static libraries, I'll see what can be done about SWT.
For the static libraries, maybe you can see to complain upstream, they could reasonably be expected to fix it in a future version. If it's Google directly, maybe pushing through oCERT could also help.
I'll try to talk to Android people tomorrow.
The security/maintainability issues with this are obvious. However, could there be issues with deviating from the included library versions? Obstensibly the reason for having included libraries is so that you can build your application against the library versions that you're likely to find on the target platform. If everybody is running libfoo-1.0 on their phones, and gentoo has libfoo-1.4 stable, would it be wise to use the gentoo version?
(In reply to comment #4) In my opinion no -- but I need to confirm this.
I suspect this is safe to close for the reasons stated - the SDK doesn't present any security issues to the host system, and the generated code doesn't present any security issues to a phone it is installed on. The libraries on the phone might have issues, but those are maintained by the phone OS, but by this package. Unless there are objections I'll close this as WONTFIX in a few days...
Per comments closing this bug - the SDK is intended to build against devices running standardized versions of libraries. It should not target the libraries installed by gentoo as a result. Comment/reopen if I'm missing something here...