[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#392362: [PROPOSAL] Add should not embed code from other packages

Package: debian-policy
Version: 3.7.2.2
Severity: wishlist
Tags: patch


Hi all,

I'm including a patch that adds a should not to policy.

Title: 		Embedding code provided in other packages
Synopsis: 	Packages should not include or embed code that is available in
			other packages.
Rationale:	If a package contains embeded code, it becomes vulnerable
			to security bugs in the code it embeds. It's a) very hard to
			track this and b) makes it very hard to fix, as we have to
			issue multiple DSAs and fixed packages for any particular
			issue. A current list of packages we know to embed code are
			at [0].

Cheers,
Neil

[0]
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0

--- policy.sgml
+++ policy.sgml
@@ -2105,6 +2105,14 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+    <sect id="embededfiles">
+      <heading>Embedding code provided in other packages</heading>
+      <p>
+      A package should not embed or include code from other
+      packages. Instead, the package should me modified to link against the
+      required files provided by the other package, and a Depends
+      relationship declared.</p>
+      </sect>
     </chapt>
Reply to: