Bug#392362: [PROPOSAL] Add should not embed code from other packages

To: Chris Waters <xtifr@debian.org>
Cc: 392362@bugs.debian.org
Subject: Bug#392362: [PROPOSAL] Add should not embed code from other packages
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 19 Nov 2006 13:49:41 +0100
Message-id: <[🔎] 20061119124940.GA7780@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 392362@bugs.debian.org
In-reply-to: <20061015185747.GA28685@starless.xtnet>
References: <20061011104539.7280.81329.reportbug@stilton.halon.org.uk> <20061014163010.GK4180@mx0.halon.org.uk> <20061015084958.GL4180@mx0.halon.org.uk> <20061015091647.GB2659@seventeen> <20061015094410.GN4180@mx0.halon.org.uk> <20061015100420.GC2659@seventeen> <20061015102422.GP4180@mx0.halon.org.uk> <20061015185747.GA28685@starless.xtnet>

Chris Waters wrote:
> > We want to avoid packages shipping their own versions of libraries,
> > as then if a security problem or major bug is discovered in that
> > library, we have lots of packages to update, and there's no garuntee
> > we'll even know which packages it affects.
> 
> I don't know if it can always be avoided. 

In any case it should be mandatory that these embedded code copies
need to be documented by maintainers, preferably in a central place.
Many cases of embedded code copies have only been discovered by
accident and the Security Team can't keep track of the whole archive.

In theory each maintainer and upstream should monitor security-related
changes in such embedded copies, in practice is just fails.

Cheers,
        Moritz

Reply to:

Prev by Date: Bug#399331: please define howto set urgency
Next by Date: Hopefully final version of ~ version number policy
Previous by thread: Bug#399331: please define howto set urgency
Next by thread: Hopefully final version of ~ version number policy
Index(es):
- Date
- Thread