Re: Bug#1069256: debian-policy: clarify requirement for use of Static-Built-Using

To: 1069256@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#1069256: debian-policy: clarify requirement for use of Static-Built-Using
From: Maytham Alsudany <maytha8thedev@gmail.com>
Date: Thu, 20 Jun 2024 13:40:11 +0800
Message-id: <[🔎] 7bc88671d1bd331bb80cc365ad9839e08cf7a064.camel@gmail.com>
In-reply-to: <3ed0bdc0b32aa43bd32a218464d3b26c09a3963e.camel@gmail.com>
References: <3ed0bdc0b32aa43bd32a218464d3b26c09a3963e.camel@gmail.com>

Hi,

Ping for further feedback or seconds for proposed policy change to
clarify and document the use of the Static-Built-Using field.

On Sat, 2024-04-27 at 17:40 +0800, Maytham Alsudany wrote:
> Thanks for your input and suggestions. I've attached an updated patch with
> several changes, including improving making the description of the field more
> specific, adding another example that is not Go/Rust related, and improving the
> Rust example to show the simultaneous use of Static-Built-Using and Built-Using.
> 
> I would greatly appreciate any more feedback for this new patch. If you believe
> that it is complete (and you are a DD), it would be very helpful if you could
> second this consensus and proposal.
[..]
> Below is the relevant part of the updated patch, to save you from downloading
> the attachment:
> 
> ``Static-Built-Using``
> ~~~~~~~~~~~~~~~~~~~~~~
> 
> This ``Static-Built-Using`` field must list source packages who's
> contents (like source code or data) were incorporated into the binary
> package during the build, including an "exactly equal" ("=") version
> relation on the version that was used to build that version of the
> incorporating binary package.
> 
> Cases where this field may be used include (but are not limited to)
> linking against static libraries in other packages, builds for
> source-centered languages such as Go and Rust, usage of header-only
> C/C++ libraries and injecting data blobs into code.
> 
> This is useful to track whether the package might need to be rebuilt
> when source packages listed here have been updated. This is important
> to stay ahead of the package failing to build from source (FTBFS) with
> the updated versions of the listed source packages, or security
> updates in the listed source packages.
> 
> Unlike Built-Using, the Debian archive will **not** retain the
> versions of the source packages listed in the Static-Built-Using
> field. This means that any package listed in Static-Built-Using who's
> license requires its source code to be available must also
> simultaneously be listed in the Built-Using field.
> 
> A package that needs domain name suffix data from the publicsuffix
> binary package would list it in the ``Static-Built-Using`` field like
> so:
> 
> ::
> 
>     Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
> 
> A package statically linked with a library from the
> golang-github-mattn-go-xmpp-dev binary package would have this field
> in its control file:
> 
> ::
> 
>     Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
> 
> A package statically linked with the libraries contained in the
> librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
> the latter is licensed under GPL-3+ (a license that requires full
> source code to be available), would have these fields in its control
> file:
> 
> ::
> 
>     Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
>     Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)

-- 
Maytham Alsudany
Debian Maintainer

maytham @ OFTC
maytha8 @ Libera

From 06cf64756ff1ee66d845e86dcf5c9dafd4a84b39 Mon Sep 17 00:00:00 2001
From: Maytham Alsudany <maytha8thedev@gmail.com>
Date: Thu, 18 Apr 2024 22:29:01 +0300
Subject: [PATCH] Require use of Static-Built-Using to declare
 statically-linked libraries

---
 policy/ch-relationships.rst | 60 +++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
index fb9dae8..636e2a5 100644
--- a/policy/ch-relationships.rst
+++ b/policy/ch-relationships.rst
@@ -666,8 +666,8 @@ dependency to install.
 
 .. _s-built-using:
 
-Additional source packages used to build the binary - ``Built-Using``
----------------------------------------------------------------------
+Additional source packages used to build the binary - ``Built-Using`` and ``Static-Built-Using``
+------------------------------------------------------------------------------------------------
 
 Some binary packages incorporate parts of other packages when built
 but do not have to depend on those packages. Examples include linking
@@ -676,6 +676,9 @@ package during the build. In this case, the source packages of those
 other packages are part of the complete source (the binary package is
 not reproducible without them).
 
+``Built-Using``
+~~~~~~~~~~~~~~~
+
 When the license of either the incorporated parts or the incorporating
 binary package requires that the full source code of the incorporating
 binary package be made available, the ``Built-Using`` field must list
@@ -710,6 +713,59 @@ requirements to retain the referenced source packages.  It should not
 be added solely as a way to locate packages that need to be rebuilt
 against newer versions of their build dependencies.
 
+``Static-Built-Using``
+~~~~~~~~~~~~~~~~~~~~~~
+
+This ``Static-Built-Using`` field must list source packages who's
+contents (like source code or data) were incorporated into the binary
+package during the build, including an "exactly equal" ("=") version
+relation on the version that was used to build that version of the
+incorporating binary package.
+
+Cases where this field may be used include (but are not limited to)
+linking against static libraries in other packages, builds for
+source-centered languages such as Go and Rust, usage of header-only
+C/C++ libraries and injecting data blobs into code.
+
+This is useful to track whether the package might need to be rebuilt
+when source packages listed here have been updated. This is important
+to stay ahead of the package failing to build from source (FTBFS) with
+the updated versions of the listed source packages, or security
+updates in the listed source packages.
+
+Unlike Built-Using, the Debian archive will **not** retain the
+versions of the source packages listed in the Static-Built-Using
+field. This means that any package listed in Static-Built-Using who's
+license requires its source code to be available must also
+simultaneously be listed in the Built-Using field.
+
+A package that needs domain name suffix data from the publicsuffix
+binary package would list it in the ``Static-Built-Using`` field like
+so:
+
+::
+
+    Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
+
+A package statically linked with a library from the
+golang-github-mattn-go-xmpp-dev binary package would have this field
+in its control file:
+
+::
+
+    Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
+
+A package statically linked with the libraries contained in the
+librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
+the latter is licensed under GPL-3+ (a license that requires full
+source code to be available), would have these fields in its control
+file:
+
+::
+
+    Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
+    Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
+
 .. [#]
    The relations ``<`` and ``>`` were previously allowed, but they were
    confusingly defined to mean earlier/later or equal rather than
-- 
2.39.2

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Bug#1073849: ITP: python-imapclient -- easy-to-use Python IMAP client library
Next by Date: per-bug mailing lists appear to be working again
Previous by thread: Bug#1073849: ITP: python-imapclient -- easy-to-use Python IMAP client library
Next by thread: per-bug mailing lists appear to be working again
Index(es):
- Date
- Thread