Bug#392362: [PROPOSAL] Add should not embed code from other packages

To: Ian Jackson <ian@davenant.greenend.org.uk>
Cc: 392362@bugs.debian.org
Subject: Bug#392362: [PROPOSAL] Add should not embed code from other packages
From: Russ Allbery <rra@debian.org>
Date: Tue, 18 Dec 2007 13:03:01 -0800
Message-id: <[🔎] 87abo7hg1m.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
In-reply-to: <[🔎] 18280.10629.798199.984479@davenant.relativity.greenend.org.uk> (Ian Jackson's message of "Tue\, 18 Dec 2007 20\:11\:49 +0000")
References: <877ipqk9rg.fsf@windlord.stanford.edu> <20070626223046.GO23964@mx0.halon.org.uk> <873b04simw.fsf@windlord.stanford.edu> <20070704090125.GA26366@dario.dodds.net> <87lkdwotx9.fsf@windlord.stanford.edu> <20070716215718.GA29591@roeckx.be> <87zm15dtt7.fsf@windlord.stanford.edu> <871wa872bw.fsf@windlord.stanford.edu> <[🔎] 20071205170848.GA9601@riva.ucam.org> <[🔎] 20071205172617.GP13566@yellowpig> <[🔎] 20071205175550.GB13328@riva.ucam.org> <[🔎] 18280.10629.798199.984479@davenant.relativity.greenend.org.uk>

Ian Jackson <ian@davenant.greenend.org.uk> writes:
> Colin Watson writes:

>> Gnulib in fact provides a number of other useful utility functions as
>> well as simply replacement functions (e.g. xmalloc, xasprintf,
>> compile_csharp_using_pnet, execute_java_class) so this assumption may
>> well not be correct.

> When we find a /tmp handling vulnerability in gnulib, will we not have
> a serious problem ?

The sort of functions that gnulib provides are generally not going to have
this sort of problem, but yes.  It's a worry.

On the other hand, gnulib simply doesn't support a library model of use,
and has a lot of infrastructure built up around *not* being used that
way.  To turn it into a library and modify source packages to link against
it would be quite a bit of work on the Debian side that's not the
direction that upstream is going.  So I think we're on the bad end of that
tradeoff.

In the interest of getting *something* into Policy, even if it doesn't
give us everything that we want, I'm inclined to accept Colin's suggestion
and exempt cases where upstream intends the code to be embedded and not
used as a separate library.  It means that Policy won't be helping with a
few of our annoying cases, but at least we say something about the general
case and the specific cases can still be dealt with on a case-by-case
basis the way that we do now.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Neil McGovern <neilm@debian.org>

References:
- Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Colin Watson <cjwatson@debian.org>
- Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Colin Watson <cjwatson@debian.org>
- Bug#392362: [PROPOSAL] Add should not embed code from other packages
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

Prev by Date: Re: Breaks in lenny
Next by Date: Re: Breaks in lenny
Previous by thread: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Next by thread: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Index(es):
- Date
- Thread