Debian Bug report logs - #392362
[PROPOSAL] Add should not embed code from other packages

version graph

Package: debian-policy; Maintainer for debian-policy is Debian Policy List <debian-policy@lists.debian.org>; Source for debian-policy is src:debian-policy.

Reported by: Neil McGovern <neilm@debian.org>

Date: Wed, 11 Oct 2006 14:48:07 UTC

Severity: wishlist

Found in version debian-policy/3.7.2.2

Fixed in version debian-policy/3.8.0.0

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 11 Oct 2006 11:45:39 +0100
[Message part 1 (text/plain, inline)]
Package: debian-policy
Version: 3.7.2.2
Severity: wishlist
Tags: patch


Hi all,

I'm including a patch that adds a should not to policy.

Title: 		Embedding code provided in other packages
Synopsis: 	Packages should not include or embed code that is available in
			other packages.
Rationale:	If a package contains embeded code, it becomes vulnerable
			to security bugs in the code it embeds. It's a) very hard to
			track this and b) makes it very hard to fix, as we have to
			issue multiple DSAs and fixed packages for any particular
			issue. A current list of packages we know to embed code are
			at [0].

Cheers,
Neil

[0]
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
[policy.sgml.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 392362@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Neil McGovern <neilm@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 11 Oct 2006 20:22:45 +0200
* Neil McGovern:

> +      packages. Instead, the package should me modified to link against the
> +      required files provided by the other package, and a Depends

Uh-oh.  No more C-ism, please.  "should be modified to reference the
required files" would cover other code copies as well, for instance
PHP scripts.

Apart from that, I think the change is a good idea.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <allomber@math.u-bordeaux.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <allomber@math.u-bordeaux.fr>
To: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 11 Oct 2006 20:25:24 +0200
On Wed, Oct 11, 2006 at 11:45:39AM +0100, Neil McGovern wrote:
> --- policy.sgml
> +++ policy.sgml
> @@ -2105,6 +2105,14 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +    <sect id="embededfiles">
> +      <heading>Embedding code provided in other packages</heading>
> +      <p>
> +      A package should not embed or include code from other
> +      packages. Instead, the package should me modified to link against the
> +      required files provided by the other package, and a Depends
> +      relationship declared.</p>
> +      </sect>
>      </chapt>

s/embededfiles/embeddedfiles/
s/me modified/be modified/

Actually almost all packages requiring some form of compilation do that. 
A C file that #include a header file from another package (e.g. the C library)
includes part of that package (the constant and inline function).
bison parsers embed a large part of bison source code.
Since we are a free software project, forking a program should be
possible without modifying all the files, it is actually the case
of a lot of packages (for example most window managers), and 
"be modified to link against the required files provided by the other
package" is very often impossible.

I am not sure we can realistically add a requirement higher than:

     A package should not link against copy of libraries packaged
     separately by Debian. 

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 392362@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Neil McGovern <neilm@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sat, 14 Oct 2006 11:50:53 +0200
[Message part 1 (text/plain, inline)]
On 10804 March 1977, Neil McGovern wrote:

> Title: 		Embedding code provided in other packages
> Synopsis: 	Packages should not include or embed code that is available in
> 			other packages.
> Rationale:	If a package contains embeded code, it becomes vulnerable
> 			to security bugs in the code it embeds. It's a) very hard to
> 			track this and b) makes it very hard to fix, as we have to
> 			issue multiple DSAs and fixed packages for any particular
> 			issue. A current list of packages we know to embed code are
> 			at [0].

Oh yeah, seconded. Its in most cases already a reject in NEW.

-- 
bye Joerg
[http://www.youam.net/stuff/info...-hosting.de/server-info.php]
"Die Anbindung des Servers: Unser Server ist mit 100 MBits/s (=12MB pro
Sekunde) an unser lokales Netzwerk angebunden, unsere Internetanbindung
sind 768 kbit/s Downstream und 128 kbit/s Upstream. Dies hört sich in
manchen Ohren langsam an, allerdings wird unsere Geschwindigkeit in der
Regel eher gelobt als kritisiert, denn der Upstream kann auch
"überzogen" werden, wenn der Server überlastet wird (wurde von uns an
Beispielen getestet, ist allerdings nicht 100%-ig zu erklären)."
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sat, 14 Oct 2006 17:30:10 +0100
[Message part 1 (text/plain, inline)]
On Wed, Oct 11, 2006 at 11:45:39AM +0100, Neil McGovern wrote:
> I'm including a patch that adds a should not to policy.
> 

Now updated, removed C-ism and fix some typos.

I'm not sure we can say libraries instead of files, as some programs
embed bits of libraries, instead of the whole lot. Which makes it even
harder to work out what has security holes :|

I'm aware that in some cases it's very hard to avoid this, which is why
it's a should, rather than a shall.

Cheers,
Neil
-- 
[..] But, up to now, this Friday was the best Debconf day ever and, no I'm not
on some drugs that makes you happy. I'm just a happy Debconfer.
	-- Christian Perrier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #30 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 09:49:58 +0100
[Message part 1 (text/plain, inline)]
On Sat, Oct 14, 2006 at 05:30:10PM +0100, Neil McGovern wrote:
> On Wed, Oct 11, 2006 at 11:45:39AM +0100, Neil McGovern wrote:
> > I'm including a patch that adds a should not to policy.
> > 
> 
> Now updated, removed C-ism and fix some typos.
> 

And this time *with* the patch...

Neil
-- 
* hermanr feels like a hedgehog having sex...
[policy.sgml.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <allomber@math.u-bordeaux.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #35 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <allomber@math.u-bordeaux.fr>
To: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 11:16:47 +0200
On Sun, Oct 15, 2006 at 09:49:58AM +0100, Neil McGovern wrote:
> --- policy.sgml
> +++ policy.sgml
> @@ -2105,6 +2105,14 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +    <sect id="embeddedfiles">
> +      <heading>Embedding code provided in other packages</heading>
> +      <p>
> +      A package should not embed or include code from other
> +      packages. Instead, the package should be modified to reference the
> +      required files provided by the other package, and a Depends
> +      relationship declared.</p>
> +      </sect>
>      </chapt>

This does not address my concern. Every compiled C programs embed code
from the C library headers file but should not Depend on libc6-dev.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #40 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Cc: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 10:44:10 +0100
[Message part 1 (text/plain, inline)]
On Sun, Oct 15, 2006 at 11:16:47AM +0200, Bill Allombert wrote:
> On Sun, Oct 15, 2006 at 09:49:58AM +0100, Neil McGovern wrote:
> > --- policy.sgml
> > +++ policy.sgml
> > @@ -2105,6 +2105,14 @@
> >  	  the file to the list in <file>debian/files</file>.</p>
> >        </sect>
> >  
> > +    <sect id="embeddedfiles">
> > +      <heading>Embedding code provided in other packages</heading>
> > +      <p>
> > +      A package should not embed or include code from other
> > +      packages. Instead, the package should be modified to reference the
> > +      required files provided by the other package, and a Depends
> > +      relationship declared.</p>
> > +      </sect>
> >      </chapt>
> 
> This does not address my concern. Every compiled C programs embed code
> from the C library headers file but should not Depend on libc6-dev.

However, every C program doesn't ship with it's own version of the C
library header files, which is what we're trying to avoid.

Neil
-- 
02:14:04 <stockholm> crap. my squirrelmail does not work
02:14:07 <stockholm> Maulkin: ping
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <allomber@math.u-bordeaux.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #45 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <allomber@math.u-bordeaux.fr>
To: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 12:04:20 +0200
On Sun, Oct 15, 2006 at 10:44:10AM +0100, Neil McGovern wrote:
> > > +    <sect id="embeddedfiles">
> > > +      <heading>Embedding code provided in other packages</heading>
> > > +      <p>
> > > +      A package should not embed or include code from other
> > > +      packages. Instead, the package should be modified to reference the
> > > +      required files provided by the other package, and a Depends
> > > +      relationship declared.</p>
> > > +      </sect>
> > >      </chapt>
> > 
> > This does not address my concern. Every compiled C programs embed code
> > from the C library headers file but should not Depend on libc6-dev.
> 
> However, every C program doesn't ship with it's own version of the C
> library header files, which is what we're trying to avoid.

In that case, I suggest you change package by source package and Depends
by Build-Depends. Or am I missing something ?

In the example above, the binary package does embed code from the C
header file.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #50 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 11:24:22 +0100
[Message part 1 (text/plain, inline)]
On Sun, Oct 15, 2006 at 12:04:20PM +0200, Bill Allombert wrote:
> On Sun, Oct 15, 2006 at 10:44:10AM +0100, Neil McGovern wrote:
> > > > +    <sect id="embeddedfiles">
> > > > +      <heading>Embedding code provided in other packages</heading>
> > > > +      <p>
> > > > +      A package should not embed or include code from other
> > > > +      packages. Instead, the package should be modified to reference the
> > > > +      required files provided by the other package, and a Depends
> > > > +      relationship declared.</p>
> > > > +      </sect>
> > > >      </chapt>
> > > 
> > > This does not address my concern. Every compiled C programs embed code
> > > from the C library headers file but should not Depend on libc6-dev.
> > 
> > However, every C program doesn't ship with it's own version of the C
> > library header files, which is what we're trying to avoid.
> 
> In that case, I suggest you change package by source package and Depends
> by Build-Depends. Or am I missing something ?
> 

Well, this section is an amendment to the source package section.

Essentially, there's been a large number of packages recently that embed
code from other packages in their own. Included in this is static
complilation, but this seems to be covered by another bit of policy. We
want to avoid packages shipping their own versions of libraries, as then
if a security problem or major bug is discovered in that library, we
have lots of packages to update, and there's no garuntee we'll even know
which packages it affects.

Cheers,
Neil
-- 
* stockholm calls netapp
* stockholm calls someone else
<Ganneff> you are typing random numbers on your phone?
<stockholm> yes. my newest attempt to close our budget hole
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #55 received at 392362@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: debian-policy@lists.debian.org, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 04:10:41 -0700
On Wed, 11 Oct 2006, Bill Allombert wrote:
> I am not sure we can realistically add a requirement higher than:
> 
>      A package should not link against copy of libraries packaged
>      separately by Debian. 

Any needless code duplication is bad, be it in libraries, perl or
python modules, or even things like documentation. I don't have a
better suggestion for verbiage at this point, but packages should not
be duplicating code that is present in other packages, especially when
already established mechanisms are in place to utilize that code
without duplication. [Actually having the code duplicated in the
upstream source may not be so bad, but it definetly should not be used
to build the binary package.]

Of course, it's true that this would be a should directive; things
that fail to meet it are buggy, but it's not an RC bug.


Don Armstrong

-- 
<Clint> why the hell does kernel-source-2.6.3 depend on xfree86-common?
<infinity> It... Doesn't?
<Clint> good point

http://www.donarmstrong.com              http://rzlab.ucr.edu



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #60 received at 392362@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Bill Allombert <allomber@math.u-bordeaux.fr>, 392362@bugs.debian.org
Cc: Neil McGovern <neilm@debian.org>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 13:36:56 +0200
On Sun, Oct 15, 2006 at 12:04:20PM +0200, Bill Allombert wrote:
> On Sun, Oct 15, 2006 at 10:44:10AM +0100, Neil McGovern wrote:
> > > > +    <sect id="embeddedfiles">
> > > > +      <heading>Embedding code provided in other packages</heading>
> > > > +      <p>
> > > > +      A package should not embed or include code from other
> > > > +      packages. Instead, the package should be modified to reference the
> > > > +      required files provided by the other package, and a Depends
> > > > +      relationship declared.</p>
> > > > +      </sect>
> > > >      </chapt>
> > > 
> > > This does not address my concern. Every compiled C programs embed code
> > > from the C library headers file but should not Depend on libc6-dev.
> > 
> > However, every C program doesn't ship with it's own version of the C
> > library header files, which is what we're trying to avoid.
> 
> In that case, I suggest you change package by source package and Depends
> by Build-Depends. Or am I missing something ?
> 
> In the example above, the binary package does embed code from the C
> header file.

I think what we want is:
- Every library that other packages may want to link to should
  have a -dev package, so others can build depend on it.  This
  basicly means everything that has a library in /usr/lib.
- Every source package should have build-dependencies for the
  libraries it wants to use that is not part of the same source
  package.
- If the upstream versions contains a library that already is in
  Debian in a seperate source package, it should either:
  - make sure it's linked against the external package, and not
    using the internal version.
  - Remove the internal version.
- Deprecate static linking


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Chris Waters <xtifr@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #65 received at 392362@bugs.debian.org (full text, mbox):

From: Chris Waters <xtifr@debian.org>
To: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 11:57:47 -0700
On Sun, Oct 15, 2006 at 11:24:22AM +0100, Neil McGovern wrote:

> We want to avoid packages shipping their own versions of libraries,
> as then if a security problem or major bug is discovered in that
> library, we have lots of packages to update, and there's no garuntee
> we'll even know which packages it affects.

I don't know if it can always be avoided.  The perl-tk package, for
example, embeds its own versions of tcl and tk, but that's an upstream
choice.  Basically, they maintain their own fork.  On the one hand, if
a hole is found in tcl or tk, it might go unnoticed in perl-tk BUT on
the other hand, there's no guarantee that any other version of tcl or
tk will even work with perl-tk!  Can we force perl-tk upstream to
merge their fork?  I doubt it would be easy, but you're welcome to
try.  Should we re-fork perl-tk on our own?  That sounds like madness,
but you're welcome to try.  In either case, though, I think there's a
whole lot of required work before perl-tk could be brought in line
with this proposal.

Also, some libraries come with compile-time options, and a particular
package may need a version built with different options than the main
version of the library in Debian.  Ideally, we would provide an
alternate version of the library package, but it's not always that
easy.

I would go for strongly discouraging the practice, but I think that
flat-out forbidding it might be excessive at this point.  At the very
least, I think we should get some feedback from the people who are
engaging in this practice before passing any absolute bans.

-- 
Chris Waters           |  Pneumonoultra-        osis is too long
xtifr@debian.org       |  microscopicsilico-    to fit into a single
or xtifr@speakeasy.net |  volcaniconi-          standalone haiku



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #70 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 15 Oct 2006 21:13:11 +0100
[Message part 1 (text/plain, inline)]
On Sun, Oct 15, 2006 at 11:57:47AM -0700, Chris Waters wrote:
> On Sun, Oct 15, 2006 at 11:24:22AM +0100, Neil McGovern wrote:
> 
> > We want to avoid packages shipping their own versions of libraries,
> > as then if a security problem or major bug is discovered in that
> > library, we have lots of packages to update, and there's no garuntee
> > we'll even know which packages it affects.
> 
> I don't know if it can always be avoided.
[snip lots of good examples where this is unavoidable]
> 
> I would go for strongly discouraging the practice, but I think that
> flat-out forbidding it might be excessive at this point.

Hence this being "should not", rather than "must not". We're aware
that it's not alwars possible, and you phrased it wonderfully. We want
to strongly discourage it, rather than flat-out forbidding it :)

Cheers,
Neil
-- 
<Tincho> 'Maybe you can try to find a nice hotel by shouting in the Mexico DF
    streets "where could a gringo find a decent hotel in this dirty third
    world lame excuse for a country?". I'm sure the people will rush to help
    you, as we south americans love to be called third world in a demeaning way.'
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Chris Waters <xtifr@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #75 received at 392362@bugs.debian.org (full text, mbox):

From: Chris Waters <xtifr@debian.org>
To: Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 16 Oct 2006 11:27:45 -0700
On Sun, Oct 15, 2006 at 09:13:11PM +0100, Neil McGovern wrote:
> On Sun, Oct 15, 2006 at 11:57:47AM -0700, Chris Waters wrote:
> > I don't know if it can always be avoided.
> [snip lots of good examples where this is unavoidable]

> > I would go for strongly discouraging the practice, but I think that
> > flat-out forbidding it might be excessive at this point.

> Hence this being "should not", rather than "must not". We're aware
> that it's not alwars possible, and you phrased it wonderfully. We want
> to strongly discourage it, rather than flat-out forbidding it :)

"Should not" says that it's always a bug--just not an RC bug.  I'm
saying that perhaps sometimes it's not a bug.  Although I strongly
agree that it should _usually_ be a bug.

In fact, as the tcl/tk maintainer, I have a vested interest in making
it always be a bug.  But I'm trying to bend over backwards to be fair
to my dependents...or non-dependents, as the case may be.  I would
love to see perl-tk built against my packages.  But I realize there
are valid reasons why it's currently not.

Anyway, I'm not going to formally object or anything.  I just wanted
to toss the notion out and see what happened.

-- 
Chris Waters           |  Pneumonoultra-        osis is too long
xtifr@debian.org       |  microscopicsilico-    to fit into a single
or xtifr@speakeasy.net |  volcaniconi-          standalone haiku



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #80 received at 392362@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: debian-policy@lists.debian.org, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 16 Oct 2006 14:18:34 -0700
On Mon, 16 Oct 2006, Chris Waters wrote:
> "Should not" says that it's always a bug--just not an RC bug. I'm
> saying that perhaps sometimes it's not a bug. Although I strongly
> agree that it should _usually_ be a bug.

I really can't imagine when it would not be a bug; in some cases, it
may just be a wishlist or minor bug because the libraries don't expose
the proper interfaces or need to be modified before being compiled. In
either case, the proper solution is to eventually fix the interfaces
or library so the extra code can be jettisoned.


Don Armstrong

-- 
What I can't stand is the feeling that my brain is leaving me for 
someone more interesting.

http://www.donarmstrong.com              http://rzlab.ucr.edu



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #85 received at 392362@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Chris Waters <xtifr@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 19 Nov 2006 13:49:41 +0100
Chris Waters wrote:
> > We want to avoid packages shipping their own versions of libraries,
> > as then if a security problem or major bug is discovered in that
> > library, we have lots of packages to update, and there's no garuntee
> > we'll even know which packages it affects.
> 
> I don't know if it can always be avoided. 

In any case it should be mandatory that these embedded code copies
need to be documented by maintainers, preferably in a central place.
Many cases of embedded code copies have only been discovered by
accident and the Security Team can't keep track of the whole archive.

In theory each maintainer and upstream should monitor security-related
changes in such embedded copies, in practice is just fails.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #90 received at 392362@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 392362@bugs.debian.org
Subject: I second this proposal
Date: Tue, 28 Nov 2006 22:27:46 +0100
[Message part 1 (text/plain, inline)]
I second Neil's proposal.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #95 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Moritz Muehlenhoff <jmm@inutil.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: I second this proposal
Date: Wed, 29 Nov 2006 00:45:05 +0100
On Tue, Nov 28, 2006 at 10:27:46PM +0100, Moritz Muehlenhoff wrote:
> I second Neil's proposal.

Which precise proposal ? Which wording ?
There are several of them in the bug log.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large blue swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #100 received at 392362@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 392362@bugs.debian.org
Subject: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 18 Jun 2007 15:59:12 +0200
[Message part 1 (text/plain, inline)]
I second Neil's proposal from Sun, 15 Oct 2006 09:49:58, i.e. the 
latest version.

Stefan
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #105 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Stefan Fritsch <sf@debian.org>, 392362@bugs.debian.org
Cc: submitter@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 18 Jun 2007 19:27:43 +0200
[Message part 1 (text/plain, inline)]
On Mon, Jun 18, 2007 at 03:59:12PM +0200, Stefan Fritsch wrote:
> I second Neil's proposal from Sun, 15 Oct 2006 09:49:58, i.e. the 
> latest version.

and I have to object to it because the proposal seems to mix build-time
and run-time dependencies. At least I did not get an answer to my later
post on the subject. It should be clarified whether the proposal apply
to source packages and build-dependencies or binary packages and 
run-time dependencies.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 
[signature.asc (application/pgp-signature, inline)]

Message sent on to Neil McGovern <neilm@debian.org>:
Bug#392362. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #113 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 25 Jun 2007 14:02:21 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jun 18, 2007 at 07:27:43PM +0200, Bill Allombert wrote:
> On Mon, Jun 18, 2007 at 03:59:12PM +0200, Stefan Fritsch wrote:
> > I second Neil's proposal from Sun, 15 Oct 2006 09:49:58, i.e. the 
> > latest version.
> 
> and I have to object to it because the proposal seems to mix build-time
> and run-time dependencies. At least I did not get an answer to my later
> post on the subject. It should be clarified whether the proposal apply
> to source packages and build-dependencies or binary packages and 
> run-time dependencies.
> 

I don't think it does. The proposal is for source packages, and a
run-time (well, install time) dependancy should be declared on the
relevent lib* package. I'm not sure there's a need to explicitly state
that a lib*-dev builddep should be declared, as the package will FTBFS
if it can't find that libraries it needs.

Any suggestions for improved wording?

And I did reply to your last mail, copying here at the end :)

Cheers,
Neil
------------ snip -------------
> In that case, I suggest you change package by source package and
> Depends
> by Build-Depends. Or am I missing something ?
> 

Well, this section is an amendment to the source package section.

Essentially, there's been a large number of packages recently that embed
code from other packages in their own. Included in this is static
complilation, but this seems to be covered by another bit of policy. We
want to avoid packages shipping their own versions of libraries, as then
if a security problem or major bug is discovered in that library, we
have lots of packages to update, and there's no garuntee we'll even know
which packages it affects.
------------ snip -------------
-- 
< weasel> dpkg: shut up
< dpkg> No, I won't, and you can't make me. :P
< weasel> hah.  _I_ can
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #118 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Neil McGovern <neilm@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 25 Jun 2007 17:33:53 +0200
On Mon, Jun 25, 2007 at 02:02:21PM +0100, Neil McGovern wrote:
> On Mon, Jun 18, 2007 at 07:27:43PM +0200, Bill Allombert wrote:
> > On Mon, Jun 18, 2007 at 03:59:12PM +0200, Stefan Fritsch wrote:
> > > I second Neil's proposal from Sun, 15 Oct 2006 09:49:58, i.e. the 
> > > latest version.
> > 
> > and I have to object to it because the proposal seems to mix build-time
> > and run-time dependencies. At least I did not get an answer to my later
> > post on the subject. It should be clarified whether the proposal apply
> > to source packages and build-dependencies or binary packages and 
> > run-time dependencies.
> > 
> 
> I don't think it does. The proposal is for source packages, and a
> run-time (well, install time) dependancy should be declared on the
> relevent lib* package. I'm not sure there's a need to explicitly state
> that a lib*-dev builddep should be declared, as the package will FTBFS
> if it can't find that libraries it needs.
> 
> Any suggestions for improved wording?

If this is that what you want, then I will certainly not object, but the
current draft seems to imply something else. Especially the expected 
meaning of package does not seems to capture what you need.

I think you should clarify that:

1) This is meant to apply to source packages where upstream include
convenience copy of external libraries (in the large sense) that are
normally distributed as stand-alone tarball, and where the build-process
link against the convenience copy of the libraries (instead of the system one).

2) The package should build against the libraries as provided by Debian
and not the convenience copy. Preferably, the convenience copy should
not even be compiled in the build-process.

> > +    <sect id="embeddedfiles">
> > +      <heading>Embedding code provided in other packages</heading>
> > +      <p>
> > +      A package should not embed or include code from other
> > +      packages. Instead, the package should be modified to reference the
> > +      required files provided by the other package, and a Depends
> > +      relationship declared.</p>
> > +      </sect>
> >      </chapt>

Suppose the upstream tarball of foo include a copy of libjpeg and link
statically the program against it. It is not obvious that
"package foo embed or include code from package libjpeg". Some
one could think "precisely it doesn't since it uses its own copy of
libjpeg".  

On the other hand, bar is compiled staticaly against libjpeg. I am
sure some one would say "bar include code from libjpeg".

By no mean do I want to encourage static linking, but it does not
seems to be what you had in mind, and forbidding static linking
has other issues that it is best to address separately.
In any case it is too generic this way.

> And I did reply to your last mail, copying here at the end :)

Sorry I missed it, then.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #123 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 13:59:58 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jun 25, 2007 at 05:33:53PM +0200, Bill Allombert wrote:
> > Any suggestions for improved wording?
> 
> If this is that what you want, then I will certainly not object, but the
> current draft seems to imply something else. Especially the expected 
> meaning of package does not seems to capture what you need.
> 

How's this version? (attached)

Neil
-- 
* hermanr feels like a hedgehog having sex...
[policy.sgml.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #128 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Neil McGovern <neilm@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 16:54:31 +0200
[Message part 1 (text/plain, inline)]
On Tue, Jun 26, 2007 at 01:59:58PM +0100, Neil McGovern wrote:
> On Mon, Jun 25, 2007 at 05:33:53PM +0200, Bill Allombert wrote:
> > > Any suggestions for improved wording?
> > 
> --- policy.sgml	2006-10-11 08:44:02.684306000 +0100
> +++ policy.sgml	2007-06-26 13:58:10.160026885 +0100
> @@ -2105,6 +2105,19 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +    <sect id="embeddedfiles">
> +      <heading>Embedding code provided in other packages</heading>
> +      <p>
> +      Should the upstream source ship with a convenience copy of an external
> +      library, and this library is already packaged in Debian, the Debian
> +      package should not embed or include this code.
> +      Instead, the package should be modified to reference the required
> +      files in the library package provided by Debian, and a Depends and/or
> +      Build-Depends relationship declared as required.
> +      Optionally, the convenience copy should not be compiled in the
> +      build-process. 
> +      </p>
> +      </sect>
>      </chapt>

Two comments:

1) "this library is already packaged in Debian":
If it is not packaged, it should be packaged instead of using the
convenience copy. Otherwise three problems can appear:
1.1) if the library is packaged separately afterward.
1.2) if two packages include independently a convenience copy of the 
same library.
1.3) the security team might miss security issues in a library if
it is not packaged but only used through a convenience copy.

The keyword is "convenience" here: it does not apply to copy
shipped as part of a larger tarball as the main distribution medium.

2) "Optionally ... should not" seems internally inconsistent.
I would expect either
"Optionally ... may not"
or
"Preferably,... should not"
and I would prefer the second because compiling librairies we won't use
is a waste of time and might cause linking inadvertently to them instead
of the system one. 

But I certainly lift my objection.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #133 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Neil McGovern <neilm@debian.org>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 08:36:51 -0700
Neil McGovern <neilm@debian.org> writes:

> How's this version? (attached)

> Neil
> -- 
> * hermanr feels like a hedgehog having sex...

> --- policy.sgml	2006-10-11 08:44:02.684306000 +0100
> +++ policy.sgml	2007-06-26 13:58:10.160026885 +0100
> @@ -2105,6 +2105,19 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
 
> +    <sect id="embeddedfiles">
> +      <heading>Embedding code provided in other packages</heading>
> +      <p>
> +      Should the upstream source ship with a convenience copy of an external
> +      library, and this library is already packaged in Debian, the Debian
> +      package should not embed or include this code.
> +      Instead, the package should be modified to reference the required
> +      files in the library package provided by Debian, and a Depends and/or
> +      Build-Depends relationship declared as required.
> +      Optionally, the convenience copy should not be compiled in the
> +      build-process. 
> +      </p>
> +      </sect>
>      </chapt>
 
I find this wording a little confusing in that I can't figure out whether
it implies the Debian maintainer should remove the embedded external
library from the upstream source tarball (which I don't think is what you
meant).  The last line in particular seems to present as an alternative
the approach that I'd expect to be the most common.

Something like:

    Some software packages include in their distribution convenience
    copies of libraries from other software packages, generally so that
    users compiling from source don't have to download multiple packages.
    Debian packages should not make use of these convenience copies.  If
    the included library is already in the Debian archive, the Debian
    packaging should ensure that the software is linked with the libraries
    already in Debian and the convenience copy is not used.  If the
    included library is not already in Debian, it should be packaged
    separately as a prerequisite.

    Having multiple copies of the same code in Debian is inefficient,
    often creates either static linking or shared library conflicts, and,
    most importantly, increases the difficulty of handling security
    vulnerabilities in the shared code.

perhaps?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #138 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 17:15:47 +0100
[Message part 1 (text/plain, inline)]
On Tue, Jun 26, 2007 at 04:54:31PM +0200, Bill Allombert wrote:
Updated :)

> 1) "this library is already packaged in Debian":
Removed

> 2) "Optionally ... should not" seems internally inconsistent.
Changed to:
> "Preferably,... should not"


> But I certainly lift my objection.
> 

Great :) Not sure if these changes need re-seconding now though.

Any thoughts from people on the list?
Neil
-- 
<Maulkin> Damned Inselaffen. Oh, wait, that's me.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #143 received at 392362@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, 392362@bugs.debian.org
Cc: Neil McGovern <neilm@debian.org>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 19:05:36 +0200
Bill Allombert wrote:
> On Tue, Jun 26, 2007 at 01:59:58PM +0100, Neil McGovern wrote:
>> On Mon, Jun 25, 2007 at 05:33:53PM +0200, Bill Allombert wrote:

> Two comments:
> 
> 1) "this library is already packaged in Debian":
> If it is not packaged, it should be packaged instead of using the
> convenience copy. Otherwise three problems can appear:
> 1.1) if the library is packaged separately afterward.
> 1.2) if two packages include independently a convenience copy of the 
> same library.
> 1.3) the security team might miss security issues in a library if
> it is not packaged but only used through a convenience copy.
> 
> The keyword is "convenience" here: it does not apply to copy
> shipped as part of a larger tarball as the main distribution medium.

A convenience copy is AFAIK always part of the upstream tarball. The main
reason for not using convenience copies is security related IMHO and not
package size or having (a possibly other version of) the same library
(package) available at some point.

Cheers

Luk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #148 received at 392362@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: debian-policy@lists.debian.org, Neil McGovern <neilm@debian.org>, 392362@bugs.debian.org
Cc: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 20:06:16 +0200
[Message part 1 (text/plain, inline)]
On Tuesday 26 June 2007 18:15:47 Neil McGovern wrote:
> Great :) Not sure if these changes need re-seconding now though.

well, if there's any possibility that they do, consider them re-seconded :)


	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #153 received at 392362@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Cc: Neil McGovern <neilm@debian.org>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 23:37:31 +0200
[Message part 1 (text/plain, inline)]
On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:
> 
> Something like:
> 
>     Some software packages include in their distribution convenience
>     copies of libraries from other software packages, generally so that
>     users compiling from source don't have to download multiple packages.
>     Debian packages should not make use of these convenience copies.  If
>     the included library is already in the Debian archive, the Debian
>     packaging should ensure that the software is linked with the libraries
>     already in Debian and the convenience copy is not used.  If the
>     included library is not already in Debian, it should be packaged
>     separately as a prerequisite.
> 
>     Having multiple copies of the same code in Debian is inefficient,
>     often creates either static linking or shared library conflicts, and,
>     most importantly, increases the difficulty of handling security
>     vulnerabilities in the shared code.
> 
> perhaps?

I'm seconding this proposal.  It seem to be worded much better.


Kurt

[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Message #156 received at 392362-quiet@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: debian-policy@lists.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 26 Jun 2007 15:43:14 -0700
Neil McGovern <neilm@debian.org> writes:
> On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:

>>     Some software packages include in their distribution convenience
>>     copies of libraries from other software packages, generally so that
>>     users compiling from source don't have to download multiple
>>     packages.  Debian packages should not make use of these convenience
>>     copies.  If the included library is already in the Debian archive,
>>     the Debian packaging should ensure that the software is linked with
>>     the libraries already in Debian and the convenience copy is not
>>     used.  If the included library is not already in Debian, it should
>>     be packaged separately as a prerequisite.

> I've tried to stay away from compile type language (and to some extent
> 'link') as it's not only C* programs that this effects.

Hm.  Good point.  I think we can use your wording there:

    If the included library is already in the Debian archive, the Debian
    packaging should ensure that the software references the library
    already in Debian and that the convenience copy is not used.

>>     Having multiple copies of the same code in Debian is inefficient,
>>     often creates either static linking or shared library conflicts,
>>     and, most importantly, increases the difficulty of handling
>>     security vulnerabilities in the shared code.

> Hrm... does rationale belong in policy?

This is one of the things that was discussed at the Policy BoF at DebConf,
and Manoj and I would both like to start adding it.  In the future, we'll
be doing so in a new format that allows rationale to be tagged separately
and marked as informative rather than normative.  But it's very valuable
to have rationale so that years later we can figure out why we changed
something.  (See the difficulties in figuring out just why Policy requires
-D_REENTRANT, for example.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to debian-policy-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #161 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: debian-policy@lists.debian.org, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 27 Jun 2007 00:06:12 +0100
[Message part 1 (text/plain, inline)]
On Tue, Jun 26, 2007 at 03:43:14PM -0700, Russ Allbery wrote:
> This is one of the things that was discussed at the Policy BoF at DebConf,
> and Manoj and I would both like to start adding it.  In the future, we'll
> be doing so in a new format that allows rationale to be tagged separately
> and marked as informative rather than normative.  But it's very valuable
> to have rationale so that years later we can figure out why we changed
> something.  (See the difficulties in figuring out just why Policy requires
> -D_REENTRANT, for example.)
> 

Good point. I tried to make that BoF, but was a bit busy running around
madly :|

New patch attached.

Neil
-- 
< twb> I don't see why anyone would want to "cyber" with a 16yo.  IME none of
	them can spell, and they probably haven't had the relevant experience to
	write convincing prose.  It's not like their ASCII is going to be any more
	supple for them being sixteen.
[policy.sgml.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #166 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 04 Jul 2007 01:00:39 -0700
Neil McGovern <neilm@debian.org> writes:
> On Tue, Jun 26, 2007 at 08:36:51AM -0700, Russ Allbery wrote:

>>     Some software packages include in their distribution convenience
>>     copies of libraries from other software packages, generally so that
>>     users compiling from source don't have to download multiple
>>     packages.  Debian packages should not make use of these convenience
>>     copies.  If the included library is already in the Debian archive,
>>     the Debian packaging should ensure that the software is linked with
>>     the libraries already in Debian and the convenience copy is not
>>     used.  If the included library is not already in Debian, it should
>>     be packaged separately as a prerequisite.

> I've tried to stay away from compile type language (and to some extent
> 'link') as it's not only C* programs that this effects.

>>     Having multiple copies of the same code in Debian is inefficient,
>>     often creates either static linking or shared library conflicts,
>>     and, most importantly, increases the difficulty of handling
>>     security vulnerabilities in the shared code.

> Hrm... does rationale belong in policy?

> I like the wording though :)

Here's a proposed patch based on that wording, with the correction already
previously noted.

Comments?

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of libraries</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of libraries from other software packages, generally so
+	  that users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies.  If the included library is already in the
+	  Debian archive, the Debian packaging should ensure that binary
+	  packages reference the libraries already in Debian and the
+	  convenience copy is not used.	 If the included library is not
+	  already in Debian, it should be packaged separately as a
+	  prerequisite.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the shared
+	    code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #171 received at 392362@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 4 Jul 2007 02:01:26 -0700
On Wed, Jul 04, 2007 at 01:00:39AM -0700, Russ Allbery wrote:
> +	  <footnote>
> +	    Having multiple copies of the same code in Debian is
> +	    inefficient, often creates either static linking or shared
> +	    library conflicts, and, most importantly, increases the
> +	    difficulty of handling security vulnerabilities in the shared
> +	    code.

Perhaps "common code" or "duplicated code" instead of "shared code", to
avoid ambiguity wrt shared libraries?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #176 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 04 Jul 2007 12:22:42 -0700
Steve Langasek <vorlon@debian.org> writes:

> Perhaps "common code" or "duplicated code" instead of "shared code", to
> avoid ambiguity wrt shared libraries?

How about "duplicated code"?  New patch:

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of libraries</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of libraries from other software packages, generally so
+	  that users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies.  If the included library is already in the
+	  Debian archive, the Debian packaging should ensure that binary
+	  packages reference the libraries already in Debian and the
+	  convenience copy is not used.	 If the included library is not
+	  already in Debian, it should be packaged separately as a
+	  prerequisite.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the
+	    duplicated code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #181 received at 392362@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 4 Jul 2007 12:35:47 -0700
On Wed, Jul 04, 2007 at 12:22:42PM -0700, Russ Allbery wrote:
> > Perhaps "common code" or "duplicated code" instead of "shared code", to
> > avoid ambiguity wrt shared libraries?

> How about "duplicated code"?  New patch:

Looks good to me.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #186 received at 392362@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Cc: debian-policy@lists.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 16 Jul 2007 23:57:18 +0200
On Wed, Jul 04, 2007 at 12:22:42PM -0700, Russ Allbery wrote:
> Steve Langasek <vorlon@debian.org> writes:
> 
> > Perhaps "common code" or "duplicated code" instead of "shared code", to
> > avoid ambiguity wrt shared libraries?
> 
> How about "duplicated code"?  New patch:

I have 2 comments about this:
- It was suggested that this shouldn't only cover libraries.  This
  version still only takes about libraries.
- Some packages contain a forked version of a library.  Policy should
  say to try and merge them in the Debian package.  This might
  not work for all packages since the changes aren't compatible, in
  which case I see 2 options:
  - Keep it internal and link staticly
  - Make a seperate source package of it.
  It would be nice if policy suggested one of those approaches.  But I'm
  not really sure this belongs in policy.


Kurt

> 
> --- orig/policy.sgml
> +++ mod/policy.sgml
> @@ -2077,6 +2077,30 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +      <sect id="embeddedfiles">
> +	<heading>Convenience copies of libraries</heading>
> +
> +	<p>
> +	  Some software packages include in their distribution convenience
> +	  copies of libraries from other software packages, generally so
> +	  that users compiling from source don't have to download multiple
> +	  packages.  Debian packages should not make use of these
> +	  convenience copies.  If the included library is already in the
> +	  Debian archive, the Debian packaging should ensure that binary
> +	  packages reference the libraries already in Debian and the
> +	  convenience copy is not used.	 If the included library is not
> +	  already in Debian, it should be packaged separately as a
> +	  prerequisite.
> +	  <footnote>
> +	    Having multiple copies of the same code in Debian is
> +	    inefficient, often creates either static linking or shared
> +	    library conflicts, and, most importantly, increases the
> +	    difficulty of handling security vulnerabilities in the
> +	    duplicated code.
> +	  </footnote>
> +	</p>
> +      </sect>
> +
>      </chapt>
>  
> -- 
> Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-policy-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #191 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 06 Aug 2007 00:08:04 -0700
Kurt Roeckx <kurt@roeckx.be> writes:
> On Wed, Jul 04, 2007 at 12:22:42PM -0700, Russ Allbery wrote:
>> Steve Langasek <vorlon@debian.org> writes:

>>> Perhaps "common code" or "duplicated code" instead of "shared code", to
>>> avoid ambiguity wrt shared libraries?

>> How about "duplicated code"?  New patch:

> I have 2 comments about this:
> - It was suggested that this shouldn't only cover libraries.  This
>   version still only takes about libraries.

A valid point.  See a proposed new wording patch below which uses "code"
instead of libraries and tries to be more general.  Does this look good to
you?  And do the other people who reviewed the previous wording proposals
have any objections?

> - Some packages contain a forked version of a library.  Policy should
>   say to try and merge them in the Debian package.  This might
>   not work for all packages since the changes aren't compatible, in
>   which case I see 2 options:
>   - Keep it internal and link staticly
>   - Make a seperate source package of it.
>   It would be nice if policy suggested one of those approaches.  But I'm
>   not really sure this belongs in policy.

I can see wanting to do one of those things in some cases and another in
other cases.  I think the wording below encourages the separate source
package where possible, but allows for the internal use and static linkage
where it isn't, which from a Policy perspective is probably the best that
we can do.

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,30 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of code</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of code from other software packages, generally so that
+	  users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies.  If the included code is already in the
+	  Debian archive in the form of a library, the Debian packaging
+	  should ensure that binary packages reference the libraries
+	  already in Debian and the convenience copy is not used.  If the
+	  included code is not already in Debian, it should be packaged
+	  separately as a prerequisite if possible.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the
+	    duplicated code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #196 received at 392362@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Mon, 6 Aug 2007 18:57:08 +0200
[Message part 1 (text/plain, inline)]
On Mon, Aug 06, 2007 at 12:08:04AM -0700, Russ Allbery wrote:
> 
> --- orig/policy.sgml
> +++ mod/policy.sgml
> @@ -2077,6 +2077,30 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +      <sect id="embeddedfiles">
> +	<heading>Convenience copies of code</heading>
> +
> +	<p>
> +	  Some software packages include in their distribution convenience
> +	  copies of code from other software packages, generally so that
> +	  users compiling from source don't have to download multiple
> +	  packages.  Debian packages should not make use of these
> +	  convenience copies.  If the included code is already in the
> +	  Debian archive in the form of a library, the Debian packaging
> +	  should ensure that binary packages reference the libraries
> +	  already in Debian and the convenience copy is not used.  If the
> +	  included code is not already in Debian, it should be packaged
> +	  separately as a prerequisite if possible.
> +	  <footnote>
> +	    Having multiple copies of the same code in Debian is
> +	    inefficient, often creates either static linking or shared
> +	    library conflicts, and, most importantly, increases the
> +	    difficulty of handling security vulnerabilities in the
> +	    duplicated code.
> +	  </footnote>
> +	</p>
> +      </sect>
> +
>      </chapt>

I second this proposal.


Kurt

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #201 received at 392362@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
To: 392362@bugs.debian.org
Subject: Second a second time
Date: Mon, 6 Aug 2007 16:11:20 -0400
I'm seconding the proposal as it is at this point.

Micah



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #206 received at 392362@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 392362@bugs.debian.org
Subject: final call: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 7 Aug 2007 17:26:05 +0100
[Message part 1 (text/plain, inline)]
I think we've got consensus, and certainly a couple of seconds to the
final draft of this item now.

Any objections before this can go in?

Neil
-- 
int getRandomNumber() {
    return 4; // chosen by fair dice roll. guaranteed to be random.
}
// http://xkcd.com/c221.html
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #211 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 15 Aug 2007 14:52:36 +0200
On Mon, Jul 16, 2007 at 11:57:18PM +0200, Kurt Roeckx wrote:
> On Wed, Jul 04, 2007 at 12:22:42PM -0700, Russ Allbery wrote:
> > Steve Langasek <vorlon@debian.org> writes:
> > 
> > > Perhaps "common code" or "duplicated code" instead of "shared code", to
> > > avoid ambiguity wrt shared libraries?
> > 
> > How about "duplicated code"?  New patch:

I would like to stress the point that is is better to get a limited
version of this in the policy and then expand it with hindsight than
to try to cover all cases from the start.

> I have 2 comments about this:
> - It was suggested that this shouldn't only cover libraries.  This
>   version still only takes about libraries.

When I wrote this, I meant library in the general sense, not in the
"shared library" sense to cover perl, python, php, ruby, haskell modules
etc. A library being a piece of code set up to be used in a larger
programm rather than on its own.

I find the wording "convenience copy of library from other software
packages" much more telling than "convenience copy of code from other
software packages" that could be misinterpreted. For example,
a lot of packages include a convenience copy of scripts part of automake
(install-sh, depcomp, etc.). The sentence
"Debian packages should not make use of these convenience copies."
seems to imply that they should not be used.

> - Some packages contain a forked version of a library.  Policy should
>   say to try and merge them in the Debian package.  This might
>   not work for all packages since the changes aren't compatible, in
>   which case I see 2 options:
>   - Keep it internal and link staticly
>   - Make a seperate source package of it.
>   It would be nice if policy suggested one of those approaches.  But I'm
>   not really sure this belongs in policy.

This is a non-Debian-specific best practice, so probably does not
belong in policy.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #216 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 15 Aug 2007 12:19:26 -0700
Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr> writes:

> I find the wording "convenience copy of library from other software
> packages" much more telling than "convenience copy of code from other
> software packages" that could be misinterpreted. For example, a lot of
> packages include a convenience copy of scripts part of automake
> (install-sh, depcomp, etc.). The sentence "Debian packages should not
> make use of these convenience copies."  seems to imply that they should
> not be used.

Bleh.  That's a valid point and I'm not sure how to deal with it without
going back to the previous wording.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #221 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Thu, 29 Nov 2007 21:02:43 -0800
Okay, here's yet another try at the wording for this that tries to exclude
Autotools and friends without making the wording too awkward.
Word-smithing welcome (as are any other comments).

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,32 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of code</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of code from other software packages, generally so that
+	  users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies unless they are used only during the package
+	  build and are not included or linked into generated binary
+	  packages.  If the included code is already in the Debian archive
+	  in the form of a library, the Debian packaging should ensure
+	  that binary packages reference the libraries already in Debian
+	  and the convenience copy is not used.  If the included code is
+	  not already in Debian, it should be packaged separately as a
+	  prerequisite if possible.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the
+	    duplicated code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #226 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Fri, 30 Nov 2007 11:59:49 +0100
On Thu, Nov 29, 2007 at 09:02:43PM -0800, Russ Allbery wrote:
> Okay, here's yet another try at the wording for this that tries to exclude
> Autotools and friends without making the wording too awkward.
> Word-smithing welcome (as are any other comments).

I am not objecting to this wording, but I am afraid it covers situation
where there is no easy solution, in particular, it does not offer
solutions when the convenience copy is not a library. I think that
generally, the severity of a policy violation should differ whether
there is an 'easy' way out or not. However, it might be that the 
word 'convenience copy' address this concerns. (A embedded copy is a
convenience copy as long as you could reasonnably do without it).

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Lars Wirzenius <liw@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #231 received at 392362@bugs.debian.org (full text, mbox):

From: Lars Wirzenius <liw@iki.fi>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>, 392362@bugs.debian.org
Cc: Russ Allbery <rra@debian.org>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Fri, 30 Nov 2007 14:09:18 +0200
On pe, 2007-11-30 at 11:59 +0100, Bill Allombert wrote:
> On Thu, Nov 29, 2007 at 09:02:43PM -0800, Russ Allbery wrote:
> > Okay, here's yet another try at the wording for this that tries to exclude
> > Autotools and friends without making the wording too awkward.
> > Word-smithing welcome (as are any other comments).
> 
> I am not objecting to this wording, but I am afraid it covers situation
> where there is no easy solution,

Policy does not override common sense, of course. If Policy prescribes
something that is technically bad for a particular package, the package
maintainer has the ability to document why Policy is wrong in that case,
and do the right thing instead. So I would not worry too much about this
in this instance.






Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #236 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sat, 01 Dec 2007 22:34:10 -0800
Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr> writes:
> On Thu, Nov 29, 2007 at 09:02:43PM -0800, Russ Allbery wrote:

>> Okay, here's yet another try at the wording for this that tries to
>> exclude Autotools and friends without making the wording too awkward.
>> Word-smithing welcome (as are any other comments).

> I am not objecting to this wording, but I am afraid it covers situation
> where there is no easy solution, in particular, it does not offer
> solutions when the convenience copy is not a library. I think that
> generally, the severity of a policy violation should differ whether
> there is an 'easy' way out or not. However, it might be that the word
> 'convenience copy' address this concerns. (A embedded copy is a
> convenience copy as long as you could reasonnably do without it).

Yeah, I think the convenience word does help there.  For example, I share
some common support code between multiple packages, but I wouldn't
consider this requirement relevant to that, since it's not a convenience
copy of code from other packages.  It's code that just happens to be
duplicated across multiple packages but which has no independent existence
(and different packages often have subtlely different versions).

Also, this is where "should" comes in; if there's a good reason not to do
it, one can not do it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #241 received at 392362@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Russ Allbery <rra@debian.org>, 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 5 Dec 2007 17:08:49 +0000
On Thu, Nov 29, 2007 at 09:02:43PM -0800, Russ Allbery wrote:
> Okay, here's yet another try at the wording for this that tries to exclude
> Autotools and friends without making the wording too awkward.
> Word-smithing welcome (as are any other comments).
> 
> --- orig/policy.sgml
> +++ mod/policy.sgml
> @@ -2077,6 +2077,32 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +      <sect id="embeddedfiles">
> +	<heading>Convenience copies of code</heading>
> +
> +	<p>
> +	  Some software packages include in their distribution convenience
> +	  copies of code from other software packages, generally so that
> +	  users compiling from source don't have to download multiple
> +	  packages.  Debian packages should not make use of these
> +	  convenience copies unless they are used only during the package
> +	  build and are not included or linked into generated binary
> +	  packages.

This has the unfortunate property of excluding Gnulib, which is a
library of code explicitly designed by the GNU build system folks to
live alongside the Autotools and be copied into packages to provide
replacements for missing functions. Perhaps something like this would
work?

  Debian packages should not make use of these convenience copies unless
  the intent of the other package is explicitly to be copied in this
  way<footnote>For example, parts of the GNU Build System work like
  this.</footnote>, and the other package provides a straightforward
  mechanism for keeping the copy up to date.

Alternatively, maybe we might want to explicitly sign off on exceptions
somehow. I can see that the security team might not be terribly happy
about supporting libinsecure by Inexperienced Developer
<newbie@example.org> who thinks everyone should copy his library into
their own programs ...

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #246 received at 392362@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: 392362@bugs.debian.org
Cc: Colin Watson <cjwatson@debian.org>
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 5 Dec 2007 18:26:17 +0100
On Wed, Dec 05, 2007 at 05:08:49PM +0000, Colin Watson wrote:
> This has the unfortunate property of excluding Gnulib, which is a
> library of code explicitly designed by the GNU build system folks to
> live alongside the Autotools and be copied into packages to provide
> replacements for missing functions. Perhaps something like this would
> work?

I expect that on a Sid system, there will be no missing functions to
replace, so Gnulib will not actually embed code.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #251 received at 392362@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Wed, 5 Dec 2007 17:55:50 +0000
On Wed, Dec 05, 2007 at 06:26:17PM +0100, Bill Allombert wrote:
> On Wed, Dec 05, 2007 at 05:08:49PM +0000, Colin Watson wrote:
> > This has the unfortunate property of excluding Gnulib, which is a
> > library of code explicitly designed by the GNU build system folks to
> > live alongside the Autotools and be copied into packages to provide
> > replacements for missing functions. Perhaps something like this would
> > work?
> 
> I expect that on a Sid system, there will be no missing functions to
> replace, so Gnulib will not actually embed code.

Gnulib in fact provides a number of other useful utility functions as
well as simply replacement functions (e.g. xmalloc, xasprintf,
compile_csharp_using_pnet, execute_java_class) so this assumption may
well not be correct.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ian@davenant.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #256 received at 392362@bugs.debian.org (full text, mbox):

From: Ian Jackson <ian@davenant.greenend.org.uk>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 18 Dec 2007 20:11:49 +0000
Colin Watson writes ("Bug#392362: [PROPOSAL] Add should not embed code from other packages"):
> Gnulib in fact provides a number of other useful utility functions as
> well as simply replacement functions (e.g. xmalloc, xasprintf,
> compile_csharp_using_pnet, execute_java_class) so this assumption may
> well not be correct.

When we find a /tmp handling vulnerability in gnulib, will we not have
a serious problem ?

Ian.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #261 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Ian Jackson <ian@davenant.greenend.org.uk>
Cc: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 18 Dec 2007 13:03:01 -0800
Ian Jackson <ian@davenant.greenend.org.uk> writes:
> Colin Watson writes:

>> Gnulib in fact provides a number of other useful utility functions as
>> well as simply replacement functions (e.g. xmalloc, xasprintf,
>> compile_csharp_using_pnet, execute_java_class) so this assumption may
>> well not be correct.

> When we find a /tmp handling vulnerability in gnulib, will we not have
> a serious problem ?

The sort of functions that gnulib provides are generally not going to have
this sort of problem, but yes.  It's a worry.

On the other hand, gnulib simply doesn't support a library model of use,
and has a lot of infrastructure built up around *not* being used that
way.  To turn it into a library and modify source packages to link against
it would be quite a bit of work on the Debian side that's not the
direction that upstream is going.  So I think we're on the bad end of that
tradeoff.

In the interest of getting *something* into Policy, even if it doesn't
give us everything that we want, I'm inclined to accept Colin's suggestion
and exempt cases where upstream intends the code to be embedded and not
used as a separate library.  It means that Policy won't be helping with a
few of our annoying cases, but at least we say something about the general
case and the specific cases can still be dealt with on a case-by-case
basis the way that we do now.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #266 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Sun, 30 Dec 2007 17:41:13 -0800
Colin Watson <cjwatson@debian.org> writes:

> This has the unfortunate property of excluding Gnulib, which is a
> library of code explicitly designed by the GNU build system folks to
> live alongside the Autotools and be copied into packages to provide
> replacements for missing functions. Perhaps something like this would
> work?
>
>   Debian packages should not make use of these convenience copies unless
>   the intent of the other package is explicitly to be copied in this
>   way<footnote>For example, parts of the GNU Build System work like
>   this.</footnote>, and the other package provides a straightforward
>   mechanism for keeping the copy up to date.

I'm not sure that the last bit really applies to Gnulib, and I'm not sure
it's easily measured.  I'm inclined to leave it off and just go with this:

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -2077,6 +2077,34 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of code</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of code from other software packages, generally so that
+	  users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies unless the included package is explicitly
+	  intended to be used in this way.<footnote>
+	    For example, parts of the GNU build system work like this.
+	  </footnote>
+	  If the included code is already in the Debian archive in the
+	  form of a library, the Debian packaging should ensure that
+	  binary packages reference the libraries already in Debian and
+	  the convenience copy is not used.  If the included code is not
+	  already in Debian, it should be packaged separately as a
+	  prerequisite if possible.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the
+	    duplicated code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
After all, simply satisfying this requirement doesn't give one a free pass
through the security team evaluation, and they can always reject packages
for other reasons.

Unless there are any objections, I'll commit this for the next version,
since I think we've pretty much reached consensus on it.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#392362; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #271 received at 392362@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362@bugs.debian.org
Subject: Re: Bug#392362: [PROPOSAL] Add should not embed code from other packages
Date: Tue, 04 Mar 2008 18:56:42 -0800
Russ Allbery <rra@debian.org> writes:

> I'm not sure that the last bit really applies to Gnulib, and I'm not
> sure it's easily measured.  I'm inclined to leave it off and just go
> with this:

I have applied this version of the wording to my Policy arch repository.

> --- orig/policy.sgml
> +++ mod/policy.sgml
> @@ -2077,6 +2077,34 @@
>  	  the file to the list in <file>debian/files</file>.</p>
>        </sect>
>  
> +      <sect id="embeddedfiles">
> +	<heading>Convenience copies of code</heading>
> +
> +	<p>
> +	  Some software packages include in their distribution convenience
> +	  copies of code from other software packages, generally so that
> +	  users compiling from source don't have to download multiple
> +	  packages.  Debian packages should not make use of these
> +	  convenience copies unless the included package is explicitly
> +	  intended to be used in this way.<footnote>
> +	    For example, parts of the GNU build system work like this.
> +	  </footnote>
> +	  If the included code is already in the Debian archive in the
> +	  form of a library, the Debian packaging should ensure that
> +	  binary packages reference the libraries already in Debian and
> +	  the convenience copy is not used.  If the included code is not
> +	  already in Debian, it should be packaged separately as a
> +	  prerequisite if possible.
> +	  <footnote>
> +	    Having multiple copies of the same code in Debian is
> +	    inefficient, often creates either static linking or shared
> +	    library conflicts, and, most importantly, increases the
> +	    difficulty of handling security vulnerabilities in the
> +	    duplicated code.
> +	  </footnote>
> +	</p>
> +      </sect>
> +
>      </chapt>

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Tags added: pending Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Wed, 05 Mar 2008 03:15:15 GMT) Full text and rfc822 format available.

Tags removed: patch Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Mon, 17 Mar 2008 05:57:04 GMT) Full text and rfc822 format available.

Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Neil McGovern <neilm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #280 received at 392362-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 392362-close@bugs.debian.org
Subject: Bug#392362: fixed in debian-policy 3.8.0.0
Date: Wed, 04 Jun 2008 23:32:03 +0000
Source: debian-policy
Source-Version: 3.8.0.0

We believe that the bug you reported is fixed in the latest version of
debian-policy, which is due to be installed in the Debian FTP archive:

debian-policy_3.8.0.0.dsc
  to pool/main/d/debian-policy/debian-policy_3.8.0.0.dsc
debian-policy_3.8.0.0.tar.gz
  to pool/main/d/debian-policy/debian-policy_3.8.0.0.tar.gz
debian-policy_3.8.0.0_all.deb
  to pool/main/d/debian-policy/debian-policy_3.8.0.0_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 392362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated debian-policy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 Jun 2008 15:53:27 -0700
Source: debian-policy
Binary: debian-policy
Architecture: source all
Version: 3.8.0.0
Distribution: unstable
Urgency: low
Maintainer: Debian Policy List <debian-policy@lists.debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 debian-policy - Debian Policy Manual and related documents
Closes: 65577 186700 209008 250202 291460 367984 379150 392362 403391 422552 430649 431813 440420 442070 452105 455602 458910 473761 475731 480551 481640 481954
Changes: 
 debian-policy (3.8.0.0) unstable; urgency=low
 .
   * Bug fix: "[PROPOSAL] "debian/README.source" file for packages with
     non-trivial source", thanks to Wouter Verhelst, Jörg Sommer, Colin Watson,
     and Junichi Uekawa                                       (Closes: #250202).
   * Bug fix: "[AMENDMENT 11/02/2008] Manual page encoding", thanks to
     Colin Watson                                             (Closes: #440420).
   * Bug fix: "[PROPOSAL] common interface for parallel building in
     DEB_BUILD_OPTIONS", thanks to Loïc Minier, Peter Samuelson, and Robert
     Millan                                                   (Closes: #209008).
   * Bug fix: "Please clarify splitting/syntax of DEB_BUILD_OPTIONS", thanks to
     Loïc Minier, Peter Samuelson, Robert Millan, and Guillem Jover
                                                              (Closes: #430649).
   * Bug fix: "Documentation for Breaks in dpkg", thanks to Ian Jackson
                                                              (Closes: #379150).
   * Bug fix: "support for wrapped Uploaders should now be mandatory"
                                                              (Closes: #431813).
   * Bug fix: "[PROPOSAL] Add should not embed code from other packages",
     thanks to Neil McGovern, Colin Watson, Bill Allombert, Steve Langasek,
     Kurt Roeckx, and others                                  (Closes: #392362).
   * Bug fix: "Homepage field in debian/control undocumented", thanks to
     Mario Iseli                                              (Closes: #452105).
   * Bug fix: "Policy inconsistent with reality: base subsection no longer
     used", thanks to Magnus Holmgren, Bernd Zeimetz, and Colin Watson
                                                              (Closes: #442070).
   * Bug fix: "Inclusion of Apache Software License versions in
     /usr/share/common-licenses", thanks to Barry Hawkins     (Closes: #291460).
   * Bug fix: "[Amended] copyright should include notice if a package is
     not a part of Debian distribution", thanks to Taketoshi Sano
                                                              (Closes: #65577).
   * Bug fix: "scripts as configuration files: should vs. must", thanks to Frank
     Küster                                                   (Closes: #403391).
   * Bug fix: "debconf specification should allow underscores in template
     names", thanks to Colin Watson                           (Closes: #473761).
   * Bug fix: "clarify handling of run-time and compile-time support programs",
     thanks to Goswin Brederlow and Raphael Hertzog           (Closes: #367984).
   * Policy: better document version ranking and empty Debian revisions
     Wording: Russ Allbery <rra@debian.org>
     Seconded: Raphaël Hertzog <hertzog@debian.org>
     Seconded: Manoj Srivastava <srivasta@debian.org>
     Seconded: Guillem Jover <guillem@debian.org>
     Closes: #186700, #458910
   * Policy: remove obsolete app-defaults and Xresources provisions
     Wording: Julien Cristau <jcristau@debian.org>
     Seconded: Russ Allbery <rra@debian.org>
     Closes: #480551
   * Bug fix: "Examples of dpkg frontends should mention apt now", thanks
     to Josh Triplett                                         (Closes: #455602).
   * Bug fix: "Minor typos and wording suggestions", thanks to Michael
     Tautschnig                                               (Closes: #422552).
   * Bug fix: "substvar reference moved from dpkg-source(1) to
     deb-substvars(5)", thanks to Ian Beckwith                (Closes: #475731).
   * Policy: bugs fixed in NMUs are now closed rather than marked fixed
     Wording: Russ Allbery <rra@debian.org> (thanks, Sandro Tosi)
     Closes: #481640
   * Policy: C.1.4, C.1.8: minor typos
     Wording: Sandro Tosi <matrixhasu@gmail.com>
     Closes: #481954
   * Remove the now-obsolete policy-process document.
   * Add an md5sums control file.
   * Add Vcs-Browser and Vcs-Git control fields.
   * Remove build system support for FHS 2.1 and FSSTND, mostly commented out.
   * Remove more temporary files created by the build.
   * Remove the FSSTND license from debian/copyright; no FSSTND files are
     currently part of policy.
   * Update FHS copyright dates in debian/copyright.
   * Standardize the spacing around headings in upgrading-checklist.html.
   * Remove old ChangeLog files and metadata headers in maintainer scripts
     and debian/rules.
Checksums-Sha1: 
 f42b9921908670eb41c04940875084bc07750592 1095 debian-policy_3.8.0.0.dsc
 3eda45d7ca5563bab8bfda93286137071979385c 638655 debian-policy_3.8.0.0.tar.gz
 73680c98bc62507858aa055bcf1f1688a812f5ba 1588552 debian-policy_3.8.0.0_all.deb
Checksums-Sha256: 
 507a048bc7c84039910843e284d8e0e305778224346fd981c6f749176cc79220 1095 debian-policy_3.8.0.0.dsc
 8321b1dddd3ddd55a09539c842084ea05a731265c4c5847997957a552ba1aaa4 638655 debian-policy_3.8.0.0.tar.gz
 6c2083f50ccaa5a2f2d7a89febd320cf3a862b3204157324ffd9b363daac3e58 1588552 debian-policy_3.8.0.0_all.deb
Files: 
 37ff33fb3ccebc4f87e23fd7b91e7859 1095 doc optional debian-policy_3.8.0.0.dsc
 2565d6eaceac0aa2d093538048c1b8ed 638655 doc optional debian-policy_3.8.0.0.tar.gz
 3b153faeec899cdf1199d4d46c5d8859 1588552 doc optional debian-policy_3.8.0.0_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIRyNB+YXjQAr8dHYRAt4NAKDbO1f3BlmKT5SgMVf4AHE2Z7bPTgCffcnI
Kwa3jEGgq+PV6dwiurjmSAc=
=wCDz
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 04 Jul 2008 07:35:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 14:39:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.