Bug#392362: [PROPOSAL] Add should not embed code from other packages
- To: 392362@bugs.debian.org
- Subject: Bug#392362: [PROPOSAL] Add should not embed code from other packages
- From: Russ Allbery <rra@debian.org>
- Date: Wed, 04 Jul 2007 01:00:39 -0700
- Message-id: <[🔎] 873b04simw.fsf@windlord.stanford.edu>
- Reply-to: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
- In-reply-to: <20070626223046.GO23964@mx0.halon.org.uk> (Neil McGovern's message of "Tue, 26 Jun 2007 23:30:46 +0100")
- References: <200706181559.22004.sf@debian.org> <20070618172743.GB3687@yellowpig> <20070625130221.GD23964@mx0.halon.org.uk> <20070625153353.GQ3320@yellowpig> <20070626125958.GM23964@mx0.halon.org.uk> <877ipqk9rg.fsf@windlord.stanford.edu> <20070626223046.GO23964@mx0.halon.org.uk>
Neil McGovern <neilm@debian.org> writes:
> On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:
>> Some software packages include in their distribution convenience
>> copies of libraries from other software packages, generally so that
>> users compiling from source don't have to download multiple
>> packages. Debian packages should not make use of these convenience
>> copies. If the included library is already in the Debian archive,
>> the Debian packaging should ensure that the software is linked with
>> the libraries already in Debian and the convenience copy is not
>> used. If the included library is not already in Debian, it should
>> be packaged separately as a prerequisite.
> I've tried to stay away from compile type language (and to some extent
> 'link') as it's not only C* programs that this effects.
>> Having multiple copies of the same code in Debian is inefficient,
>> often creates either static linking or shared library conflicts,
>> and, most importantly, increases the difficulty of handling
>> security vulnerabilities in the shared code.
> Hrm... does rationale belong in policy?
> I like the wording though :)
Here's a proposed patch based on that wording, with the correction already
previously noted.
Comments?
--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
the file to the list in <file>debian/files</file>.</p>
</sect>
+ <sect id="embeddedfiles">
+ <heading>Convenience copies of libraries</heading>
+
+ <p>
+ Some software packages include in their distribution convenience
+ copies of libraries from other software packages, generally so
+ that users compiling from source don't have to download multiple
+ packages. Debian packages should not make use of these
+ convenience copies. If the included library is already in the
+ Debian archive, the Debian packaging should ensure that binary
+ packages reference the libraries already in Debian and the
+ convenience copy is not used. If the included library is not
+ already in Debian, it should be packaged separately as a
+ prerequisite.
+ <footnote>
+ Having multiple copies of the same code in Debian is
+ inefficient, often creates either static linking or shared
+ library conflicts, and, most importantly, increases the
+ difficulty of handling security vulnerabilities in the shared
+ code.
+ </footnote>
+ </p>
+ </sect>
+
</chapt>
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: