Bug#392362: [PROPOSAL] Add should not embed code from other packages

Wed, 04 Jul 2007 01:43:58 -0700 

Neil McGovern <[EMAIL PROTECTED]> writes:
> On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:

>>     Some software packages include in their distribution convenience
>>     copies of libraries from other software packages, generally so that
>>     users compiling from source don't have to download multiple
>>     packages.  Debian packages should not make use of these convenience
>>     copies.  If the included library is already in the Debian archive,
>>     the Debian packaging should ensure that the software is linked with
>>     the libraries already in Debian and the convenience copy is not
>>     used.  If the included library is not already in Debian, it should
>>     be packaged separately as a prerequisite.

> I've tried to stay away from compile type language (and to some extent
> 'link') as it's not only C* programs that this effects.

>>     Having multiple copies of the same code in Debian is inefficient,
>>     often creates either static linking or shared library conflicts,
>>     and, most importantly, increases the difficulty of handling
>>     security vulnerabilities in the shared code.

> Hrm... does rationale belong in policy?

> I like the wording though :)

Here's a proposed patch based on that wording, with the correction already
previously noted.

Comments?

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
          the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+       <heading>Convenience copies of libraries</heading>
+
+       <p>
+         Some software packages include in their distribution convenience
+         copies of libraries from other software packages, generally so
+         that users compiling from source don't have to download multiple
+         packages.  Debian packages should not make use of these
+         convenience copies.  If the included library is already in the
+         Debian archive, the Debian packaging should ensure that binary
+         packages reference the libraries already in Debian and the
+         convenience copy is not used.  If the included library is not
+         already in Debian, it should be packaged separately as a
+         prerequisite.
+         <footnote>
+           Having multiple copies of the same code in Debian is
+           inefficient, often creates either static linking or shared
+           library conflicts, and, most importantly, increases the
+           difficulty of handling security vulnerabilities in the shared
+           code.
+         </footnote>
+       </p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to