On Tue, 2023-09-26 at 14:20 -0400, John Thorvald Wodder II wrote: > I suspect that this problem applies to all programs written in Go or Rust that > Debian distributes. Is Debian handling dependency licenses for these packages > incorrectly, or is there something I'm missing? Your analysis is correct, some extra context for this problem: The problem you have identified applies to other statically linked languages too, so I have updated the wiki page to link to it. https://wiki.debian.org/StaticLinking The problem can be more generally stated as; Debian aggregates the copyright and license of source files we distribute but does not trace the path from source files to compiled files, and therefore does not trace which source files each generated file was created from and as a subset of that problem, does therefore not trace the flow of copyright and license information and does not aggregate that information and does not discover license incompatibilities in the generated files. This more general problem is very hard to impossible to solve, since it would mean patching every single build toolchain and source package to provide traces of the path from source files to compiled files and then processing those traces to generate copyright info for binary packages. The specific problem with Rust/Go/etc static linking might be solvable by a new debhelper command that would read the Built-Using and related fields and then append each of them to the DEBIAN/copyright files. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part