Neil McGovern
2006-Oct-11 15:04 UTC
[Secure-testing-team] Bug#392362: [PROPOSAL] Add should not embed code from other packages
Package: debian-policy
Version: 3.7.2.2
Severity: wishlist
Tags: patch
Hi all,
I''m including a patch that adds a should not to policy.
Title: Embedding code provided in other packages
Synopsis: Packages should not include or embed code that is available in
other packages.
Rationale: If a package contains embeded code, it becomes vulnerable
to security bugs in the code it embeds. It''s a) very hard to
track this and b) makes it very hard to fix, as we have to
issue multiple DSAs and fixed packages for any particular
issue. A current list of packages we know to embed code are
at [0].
Cheers,
Neil
[0]
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
-------------- next part --------------
--- policy.sgml
+++ policy.sgml
@@ -2105,6 +2105,14 @@
the file to the list in <file>debian/files</file>.</p>
</sect>
+ <sect id="embededfiles">
+ <heading>Embedding code provided in other packages</heading>
+ <p>
+ A package should not embed or include code from other
+ packages. Instead, the package should me modified to link against the
+ required files provided by the other package, and a Depends
+ relationship declared.</p>
+ </sect>
</chapt>