Bug#392362: [PROPOSAL] Add should not embed code from other packages

To: 392362@bugs.debian.org
Subject: Bug#392362: [PROPOSAL] Add should not embed code from other packages
From: Russ Allbery <rra@debian.org>
Date: Wed, 04 Jul 2007 01:00:39 -0700
Message-id: <[🔎] 873b04simw.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
In-reply-to: <20070626223046.GO23964@mx0.halon.org.uk> (Neil McGovern's message of "Tue, 26 Jun 2007 23:30:46 +0100")
References: <200706181559.22004.sf@debian.org> <20070618172743.GB3687@yellowpig> <20070625130221.GD23964@mx0.halon.org.uk> <20070625153353.GQ3320@yellowpig> <20070626125958.GM23964@mx0.halon.org.uk> <877ipqk9rg.fsf@windlord.stanford.edu> <20070626223046.GO23964@mx0.halon.org.uk>

Neil McGovern <neilm@debian.org> writes:
> On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:

>>     Some software packages include in their distribution convenience
>>     copies of libraries from other software packages, generally so that
>>     users compiling from source don't have to download multiple
>>     packages.  Debian packages should not make use of these convenience
>>     copies.  If the included library is already in the Debian archive,
>>     the Debian packaging should ensure that the software is linked with
>>     the libraries already in Debian and the convenience copy is not
>>     used.  If the included library is not already in Debian, it should
>>     be packaged separately as a prerequisite.

> I've tried to stay away from compile type language (and to some extent
> 'link') as it's not only C* programs that this effects.

>>     Having multiple copies of the same code in Debian is inefficient,
>>     often creates either static linking or shared library conflicts,
>>     and, most importantly, increases the difficulty of handling
>>     security vulnerabilities in the shared code.

> Hrm... does rationale belong in policy?

> I like the wording though :)

Here's a proposed patch based on that wording, with the correction already
previously noted.

Comments?

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of libraries</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of libraries from other software packages, generally so
+	  that users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies.  If the included library is already in the
+	  Debian archive, the Debian packaging should ensure that binary
+	  packages reference the libraries already in Debian and the
+	  convenience copy is not used.	 If the included library is not
+	  already in Debian, it should be packaged separately as a
+	  prerequisite.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the shared
+	    code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#420701: GFDL is now in common-licenses
Next by Date: Processed: tagging 418444
Previous by thread: Bug#420701: GFDL is now in common-licenses
Next by thread: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Index(es):
- Date
- Thread