Package: debian-policy
Version: 3.7.2.2
Severity: wishlist
Tags: patch
Hi all,
I'm including a patch that adds a should not to policy.
Title: Embedding code provided in other packages
Synopsis: Packages should not include or embed code that is available in
other packages.
Rationale: If a package contains embeded code, it becomes vulnerable
to security bugs in the code it embeds. It's a) very
hard to
track this and b) makes it very hard to fix, as we have
to
issue multiple DSAs and fixed packages for any
particular
issue. A current list of packages we know to embed code
are
at [0].
Cheers,
Neil
[0]
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
--- policy.sgml
+++ policy.sgml
@@ -2105,6 +2105,14 @@
the file to the list in <file>debian/files</file>.</p>
</sect>
+ <sect id="embededfiles">
+ <heading>Embedding code provided in other packages</heading>
+ <p>
+ A package should not embed or include code from other
+ packages. Instead, the package should me modified to link against the
+ required files provided by the other package, and a Depends
+ relationship declared.</p>
+ </sect>
</chapt>
