On Wed, 2023-09-27 at 10:41 -0400, John Thorvald Wodder II wrote: > So was this problem previously known but under-acknowledged, or was it simply > not brought up before now? I find it surprising that Debian would allow so > many license violations to get this far. Is fixing the tooling to handle this > considered a priority? If the author of an uncredited dependency were to > complain, would Debian be more likely to focus on fixing the tooling posthaste > or to just pull whatever packages use the dependency in question? This is the first time this problem was brought up in Debian AFAICT. Likely no-one thought about it because we are used to dynamic linking, which doesn't have this problem. Several folks on different IRC channels discussed the problem yesterday and it is possible the Rust or Go teams might work on a debhelper addon to solve it. In theory it could be possible to solve by copying the copyright files of static libraries into the binary packages they are linked into, probably using the Built-Using and Static-Build-Using fields. It will also further bloat the binary packages of Rust/Go/etc based binaries. We also noted that this is not just a Debian problem, but a problem with every distro packaging statically linked stuff and with even the upstream ecosystems, any project using static linking must deal with this problem, so every single Rust/Go developer must deal with it. These links point to some efforts to handle it in the Rust community: https://github.com/rust-lang/cargo/issues/12053 https://lib.rs/crates/cargo-bundle-licenses https://lib.rs/crates/cargo-about -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part