On Wed, 2025-04-30 at 06:44 +0200, Simon Josefsson wrote: > Thanks - so the answer depends on license… although I don’t see anything that > forbid use of it regardless. What about apache2? Is there a list of licenses > with the source requirement? No, nothing that forbids it regardless. Having both Built-Using: ${misc:Built-Using} Static-Built-Using: ${misc:Static-Built-Using} is what should be done. Fixing it so Built-Using only gets the necessary packages is something that can be done in dh-golang. The Rust team conveniently provide a list of licenses as well as the logic their tooling uses to determine if a package needs to be mentioned in Built-Using at https://salsa.debian.org/rust-team/dh-cargo/-/blob/master/dh-cargo-built-using#L17 > OTOH I don’t think the gpl requires the source to be shipped alongside the > binary. It just has to be available on request. Snapshot solve that, I think. > > Btw did you intend to skip Debian-go@ in cc? Feel free to re-add it on reply. The one time I use gmail's online interface... Re-added :) Thanks. -- Maytham > > 30 apr. 2025 kl. 06:37 skrev Maytham Alsudany <maytham@debian.org>: > > > > On Sat, Apr 26, 2025 at 8:58 PM Simon Josefsson <simon@josefsson.org> wrote: > > > I don't have an answer to your issue - but what is not clear to me is if > > > we should remove the Built-Using: headers when adding > > > Static-Built-Using? I get QA linter complaints when Built-Using: is > > > missing, so for a small number of packages I just added > > > Static-Built-Using: but maybe I should also remove Built-Using: and > > > ignore the linter complaints? > > > > From the proposed policy text: > > Unlike Built-Using, the Debian archive will **not** retain the > > versions of the source packages listed in the Static-Built-Using > > field. This means that any package listed in Static-Built-Using that > > contains a license requiring its source code to be available must also > > simultaneously be listed in the Built-Using field. > > [...] > > A package statically linked with the libraries contained in the > > librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where > > the latter is licensed under GPL-3+ (a license that requires full > > source code to be available), would have these fields in its control > > file: > > Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1) > > Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1) > > > > The tooling in the Rust team currently does this, checking for source- > > required licenses in the d/copyright files in the dependency tree. > > > > Hope that helps. > > -- > > Maytham
Attachment:
signature.asc
Description: This is a digitally signed message part