From 5fa33a9bf643e15e62f42021aef121e062f437c3 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@debian.org>
Date: Wed, 5 Mar 2008 02:55:59 +0000
Subject: [PATCH] Debian packages should not use convenience libraries

Document that Debian packages should not use convenience copies of
libraries and instead link to the library that's already present in
Debian.  Thanks to Neil McGovern, Bill Allombert, Kurt Roeckx,
Steve Langasek, Colin Watson, and others for wording suggestions.
Closes #392362.

git-archimport-id: rra@debian.org--lenny/debian-policy--devel--3.7--patch-32
---
 debian/changelog         |  3 +++
 policy.sgml              | 28 ++++++++++++++++++++++++++++
 upgrading-checklist.html |  3 +++
 3 files changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 21a9e5e..e0ce0b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ debian-policy (3.7.4.0) unstable; urgency=low
     Colin Watson                                             (Closes: #440420).
   * Bug fix: "support for wrapped Uploaders should now be mandatory"
                                                              (Closes: #431813).
+  * Bug fix: "[PROPOSAL] Add should not embed code from other packages",
+    thanks to Neil McGovern, Colin Watson, Bill Allombert, Steve Langasek,
+    Kurt Roeckx, and others                                  (Closes: #392362).
   * Bug fix: "Examples of dpkg frontends should mention apt now", thanks
     to Josh Triplett                                         (Closes: #455602).
   * Bug fix: "Minor typos and wording suggestions", thanks to Michael
diff --git a/policy.sgml b/policy.sgml
index 262db3c..a53af99 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -2076,6 +2076,34 @@
 	  the file to the list in <file>debian/files</file>.</p>
       </sect>
 
+      <sect id="embeddedfiles">
+	<heading>Convenience copies of code</heading>
+
+	<p>
+	  Some software packages include in their distribution convenience
+	  copies of code from other software packages, generally so that
+	  users compiling from source don't have to download multiple
+	  packages.  Debian packages should not make use of these
+	  convenience copies unless the included package is explicitly
+	  intended to be used in this way.<footnote>
+	    For example, parts of the GNU build system work like this.
+	  </footnote>
+	  If the included code is already in the Debian archive in the
+	  form of a library, the Debian packaging should ensure that
+	  binary packages reference the libraries already in Debian and
+	  the convenience copy is not used.  If the included code is not
+	  already in Debian, it should be packaged separately as a
+	  prerequisite if possible.
+	  <footnote>
+	    Having multiple copies of the same code in Debian is
+	    inefficient, often creates either static linking or shared
+	    library conflicts, and, most importantly, increases the
+	    difficulty of handling security vulnerabilities in the
+	    duplicated code.
+	  </footnote>
+	</p>
+      </sect>
+
     </chapt>
 
 
diff --git a/upgrading-checklist.html b/upgrading-checklist.html
index e3eedd2..d0afa35 100644
--- a/upgrading-checklist.html
+++ b/upgrading-checklist.html
@@ -54,6 +54,9 @@ picking your way through this list.
 
 <pre>
 3.7.4.0                        unreleased
+     * Debian packages should not use convience copies of code from other
+       packages unless the included package is explicitly intended to be
+       used that way.                                            [4.13]
      * The Uploaders field in debian/control may be wrapped.     [5.6.3]
      * Manual pages in locale-specific directories should use either the
        legacy encoding for that directory or UTF-8.  Country names should
-- 
2.39.5