Your message dated Wed, 04 Jun 2008 23:32:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#392362: fixed in debian-policy 3.8.0.0 has caused the Debian Bug report #392362, regarding [PROPOSAL] Add should not embed code from other packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 392362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392362 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: debian-policy Version: 3.7.2.2 Severity: wishlist Tags: patch Hi all, I'm including a patch that adds a should not to policy. Title: Embedding code provided in other packages Synopsis: Packages should not include or embed code that is available in other packages. Rationale: If a package contains embeded code, it becomes vulnerable to security bugs in the code it embeds. It's a) very hard to track this and b) makes it very hard to fix, as we have to issue multiple DSAs and fixed packages for any particular issue. A current list of packages we know to embed code are at [0]. Cheers, Neil [0] http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0--- policy.sgml +++ policy.sgml @@ -2105,6 +2105,14 @@ the file to the list in <file>debian/files</file>.</p> </sect> + <sect id="embededfiles"> + <heading>Embedding code provided in other packages</heading> + <p> + A package should not embed or include code from other + packages. Instead, the package should me modified to link against the + required files provided by the other package, and a Depends + relationship declared.</p> + </sect> </chapt>
--- End Message ---
--- Begin Message ---Source: debian-policy Source-Version: 3.8.0.0 We believe that the bug you reported is fixed in the latest version of debian-policy, which is due to be installed in the Debian FTP archive: debian-policy_3.8.0.0.dsc to pool/main/d/debian-policy/debian-policy_3.8.0.0.dsc debian-policy_3.8.0.0.tar.gz to pool/main/d/debian-policy/debian-policy_3.8.0.0.tar.gz debian-policy_3.8.0.0_all.deb to pool/main/d/debian-policy/debian-policy_3.8.0.0_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Russ Allbery <[EMAIL PROTECTED]> (supplier of updated debian-policy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 04 Jun 2008 15:53:27 -0700 Source: debian-policy Binary: debian-policy Architecture: source all Version: 3.8.0.0 Distribution: unstable Urgency: low Maintainer: Debian Policy List <debian-policy@lists.debian.org> Changed-By: Russ Allbery <[EMAIL PROTECTED]> Description: debian-policy - Debian Policy Manual and related documents Closes: 65577 186700 209008 250202 291460 367984 379150 392362 403391 422552 430649 431813 440420 442070 452105 455602 458910 473761 475731 480551 481640 481954 Changes: debian-policy (3.8.0.0) unstable; urgency=low . * Bug fix: "[PROPOSAL] "debian/README.source" file for packages with non-trivial source", thanks to Wouter Verhelst, Jörg Sommer, Colin Watson, and Junichi Uekawa (Closes: #250202). * Bug fix: "[AMENDMENT 11/02/2008] Manual page encoding", thanks to Colin Watson (Closes: #440420). * Bug fix: "[PROPOSAL] common interface for parallel building in DEB_BUILD_OPTIONS", thanks to Loïc Minier, Peter Samuelson, and Robert Millan (Closes: #209008). * Bug fix: "Please clarify splitting/syntax of DEB_BUILD_OPTIONS", thanks to Loïc Minier, Peter Samuelson, Robert Millan, and Guillem Jover (Closes: #430649). * Bug fix: "Documentation for Breaks in dpkg", thanks to Ian Jackson (Closes: #379150). * Bug fix: "support for wrapped Uploaders should now be mandatory" (Closes: #431813). * Bug fix: "[PROPOSAL] Add should not embed code from other packages", thanks to Neil McGovern, Colin Watson, Bill Allombert, Steve Langasek, Kurt Roeckx, and others (Closes: #392362). * Bug fix: "Homepage field in debian/control undocumented", thanks to Mario Iseli (Closes: #452105). * Bug fix: "Policy inconsistent with reality: base subsection no longer used", thanks to Magnus Holmgren, Bernd Zeimetz, and Colin Watson (Closes: #442070). * Bug fix: "Inclusion of Apache Software License versions in /usr/share/common-licenses", thanks to Barry Hawkins (Closes: #291460). * Bug fix: "[Amended] copyright should include notice if a package is not a part of Debian distribution", thanks to Taketoshi Sano (Closes: #65577). * Bug fix: "scripts as configuration files: should vs. must", thanks to Frank Küster (Closes: #403391). * Bug fix: "debconf specification should allow underscores in template names", thanks to Colin Watson (Closes: #473761). * Bug fix: "clarify handling of run-time and compile-time support programs", thanks to Goswin Brederlow and Raphael Hertzog (Closes: #367984). * Policy: better document version ranking and empty Debian revisions Wording: Russ Allbery <[EMAIL PROTECTED]> Seconded: Raphaël Hertzog <[EMAIL PROTECTED]> Seconded: Manoj Srivastava <[EMAIL PROTECTED]> Seconded: Guillem Jover <[EMAIL PROTECTED]> Closes: #186700, #458910 * Policy: remove obsolete app-defaults and Xresources provisions Wording: Julien Cristau <[EMAIL PROTECTED]> Seconded: Russ Allbery <[EMAIL PROTECTED]> Closes: #480551 * Bug fix: "Examples of dpkg frontends should mention apt now", thanks to Josh Triplett (Closes: #455602). * Bug fix: "Minor typos and wording suggestions", thanks to Michael Tautschnig (Closes: #422552). * Bug fix: "substvar reference moved from dpkg-source(1) to deb-substvars(5)", thanks to Ian Beckwith (Closes: #475731). * Policy: bugs fixed in NMUs are now closed rather than marked fixed Wording: Russ Allbery <[EMAIL PROTECTED]> (thanks, Sandro Tosi) Closes: #481640 * Policy: C.1.4, C.1.8: minor typos Wording: Sandro Tosi <[EMAIL PROTECTED]> Closes: #481954 * Remove the now-obsolete policy-process document. * Add an md5sums control file. * Add Vcs-Browser and Vcs-Git control fields. * Remove build system support for FHS 2.1 and FSSTND, mostly commented out. * Remove more temporary files created by the build. * Remove the FSSTND license from debian/copyright; no FSSTND files are currently part of policy. * Update FHS copyright dates in debian/copyright. * Standardize the spacing around headings in upgrading-checklist.html. * Remove old ChangeLog files and metadata headers in maintainer scripts and debian/rules. Checksums-Sha1: f42b9921908670eb41c04940875084bc07750592 1095 debian-policy_3.8.0.0.dsc 3eda45d7ca5563bab8bfda93286137071979385c 638655 debian-policy_3.8.0.0.tar.gz 73680c98bc62507858aa055bcf1f1688a812f5ba 1588552 debian-policy_3.8.0.0_all.deb Checksums-Sha256: 507a048bc7c84039910843e284d8e0e305778224346fd981c6f749176cc79220 1095 debian-policy_3.8.0.0.dsc 8321b1dddd3ddd55a09539c842084ea05a731265c4c5847997957a552ba1aaa4 638655 debian-policy_3.8.0.0.tar.gz 6c2083f50ccaa5a2f2d7a89febd320cf3a862b3204157324ffd9b363daac3e58 1588552 debian-policy_3.8.0.0_all.deb Files: 37ff33fb3ccebc4f87e23fd7b91e7859 1095 doc optional debian-policy_3.8.0.0.dsc 2565d6eaceac0aa2d093538048c1b8ed 638655 doc optional debian-policy_3.8.0.0.tar.gz 3b153faeec899cdf1199d4d46c5d8859 1588552 doc optional debian-policy_3.8.0.0_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIRyNB+YXjQAr8dHYRAt4NAKDbO1f3BlmKT5SgMVf4AHE2Z7bPTgCffcnI Kwa3jEGgq+PV6dwiurjmSAc= =wCDz -----END PGP SIGNATURE-----
--- End Message ---
