[Secure-testing-team] Bug#392362: [PROPOSAL] Add should not embed code from other packages

[Neil McGovern]

Package: debian-policy
Version: 3.7.2.2
Severity: wishlist
Tags: patch


Hi all,

I'm including a patch that adds a should not to policy.

Title: 		Embedding code provided in other packages
Synopsis: 	Packages should not include or embed code that is available in
			other packages.
Rationale:	If a package contains embeded code, it becomes vulnerable
			to security bugs in the code it embeds. It's a) very hard to
			track this and b) makes it very hard to fix, as we have to
			issue multiple DSAs and fixed packages for any particular
			issue. A current list of packages we know to embed code are
			at [0].

Cheers,
Neil

[0]
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
-------------- next part --------------
--- policy.sgml
+++ policy.sgml
@@ -2105,6 +2105,14 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+    <sect id="embededfiles">
+      <heading>Embedding code provided in other packages</heading>
+      <p>
+      A package should not embed or include code from other
+      packages. Instead, the package should me modified to link against the
+      required files provided by the other package, and a Depends
+      relationship declared.</p>
+      </sect>
     </chapt>