Fedora (RPM) has this thing called "Provides: bundled(library_name) = version" that can be added when the maintainer knows the package is bundling a library.
There are situations where the bundled libraries are modified, or are hard to unbundle and the maintainer wants to do it later. Or sometimes it simply makes sense to use bundled libraries like sys-devel/gcc is doing with libffi for gcj.
I propose we add an entry like, for example:
This would allow tools, or Package Manager itself to tell the security@ and qa@ teams immediately which packages bundle what when a security bug is reported.
Tracking these only by bugzilla is not convinient and things go to /dev/null accidentally very easily.