Re: Static-Built-Using and binNMUs?

To: Simon Josefsson <simon@josefsson.org>
Cc: debian-go@lists.debian.org
Subject: Re: Static-Built-Using and binNMUs?
From: Maytham Alsudany <maytham@debian.org>
Date: Wed, 30 Apr 2025 18:59:32 +0300
Message-id: <[🔎] 69d199e1affc34fcd5dc2187763afa3d86c3144e.camel@debian.org>
In-reply-to: <B974BD61-A686-45FE-93B5-AEF6B8B0EBC8@josefsson.org>
References: <CAL1h13Ox0gq+Wwq_RGEg1NN46uDf3N55VdTzW_VbxaQYBZTa9g@mail.gmail.com> <B974BD61-A686-45FE-93B5-AEF6B8B0EBC8@josefsson.org>

On Wed, 2025-04-30 at 06:44 +0200, Simon Josefsson wrote:
> Thanks - so the answer depends on license… although I don’t see anything that
> forbid use of it regardless. What about apache2? Is there a list of licenses
> with the source requirement?

No, nothing that forbids it regardless. Having both
  Built-Using: ${misc:Built-Using}
  Static-Built-Using: ${misc:Static-Built-Using}
is what should be done. Fixing it so Built-Using only gets the necessary
packages is something that can be done in dh-golang.

The Rust team conveniently provide a list of licenses as well as the logic
their tooling uses to determine if a package needs to be mentioned in
Built-Using at
https://salsa.debian.org/rust-team/dh-cargo/-/blob/master/dh-cargo-built-using#L17

> OTOH I don’t think the gpl requires the source to be shipped alongside the
> binary. It just has to be available on request. Snapshot solve that, I think.
> 
> Btw did you intend to skip Debian-go@ in cc? Feel free to re-add it on reply.

The one time I use gmail's online interface... Re-added :)

Thanks.
--
Maytham

> > 30 apr. 2025 kl. 06:37 skrev Maytham Alsudany <maytham@debian.org>:
> > 
> > On Sat, Apr 26, 2025 at 8:58 PM Simon Josefsson <simon@josefsson.org> wrote:
> > > I don't have an answer to your issue - but what is not clear to me is if
> > > we should remove the Built-Using: headers when adding
> > > Static-Built-Using?  I get QA linter complaints when Built-Using: is
> > > missing, so for a small number of packages I just added
> > > Static-Built-Using: but maybe I should also remove Built-Using: and
> > > ignore the linter complaints?
> > 
> > From the proposed policy text:
> > Unlike Built-Using, the Debian archive will **not** retain the
> > versions of the source packages listed in the Static-Built-Using
> > field. This means that any package listed in Static-Built-Using that
> > contains a license requiring its source code to be available must also
> > simultaneously be listed in the Built-Using field.
> > [...]
> > A package statically linked with the libraries contained in the
> > librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
> > the latter is licensed under GPL-3+ (a license that requires full
> > source code to be available), would have these fields in its control
> > file:
> >    Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
> >    Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
> > 
> > The tooling in the Rust team currently does this, checking for source-
> > required licenses in the d/copyright files in the dependency tree.
> > 
> > Hope that helps.
> > --
> > Maytham

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Should we delete pkg-go-tools, provisioning, migrate-pkg-go-to-salsa etc?
Previous by thread: Re: Static-Built-Using and binNMUs?
Next by thread: Bug#1104309: ITP: golang-github-a-h-parse -- Set of parsing tools for Go
Index(es):
- Date
- Thread