Bug#1069256: debian-policy: clarify requirement for use of Static-Built-Using
On Mon, Aug 04, 2025 at 05:05:26PM +0200, Fabian Grünbichler wrote:
> On August 4, 2025 3:55:56 PM GMT+02:00, Chris Hofstaedtler <zeha@debian.org> wrote:
> >On Mon, Aug 04, 2025 at 02:40:07PM +0100, Julian Gilbey wrote:
> >> Hi!
> >> > +::
> >> > +
> >> > + Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
> >> > + Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
> >> > +
> >[..]
> >> I would therefore propose changing the Static-Built-Using field to use
> >> *binary* packages and versions rather than *source* packages and
> >> versions to fix this.
> >
> >Thanks for noticing. At least I've overlooked this in the past, but
> >I always understood S-B-U to list binary package names and binary
> >package versions.
> >
> >Let's see what everyone else thinks, but I think dealing here with source
> >package names is not a good idea.
>
> I think for rust-*, it should make no practical difference, except for corner
> cases where binary packages/versions would be more correct anyhow.
>
> The tooling emitting this (and possibly consuming it already?) would
> need to be updated of course..
Indeed.
Looking at the packages listed in Static-Built-Using (SBU) fields in
Debian testing main, we find the following:
* 2215 distinct packages are listed in SBU fields.
* 38 of these are also the name of a binary package
* 19 of these 38 have a different Source package version number
* Of the remaining source packages:
- 742 are called golang-* (excluding golang-1.18 to golang-1.24)
- 1409 are called rust-*
Modifying the tooling in these two ecosystems would presumably solve
all or almost all of the affected packages.
* This leaves 21 other packages listed (excluding golang-1.*) that
would need modifications to their "users"; there are 43 distinct
"users" in total:
castle-game-engine
Package: castle-model-viewer
continuity
Package: distrobuilder
Package: docker-buildx
Package: docker-compose
etcd
Package: minio-client
gobgp
Package: incus
Package: incus-agent
Package: incus-base
Package: incus-client
Package: incus-extra
Package: lxd
Package: lxd-agent
Package: lxd-client
Package: lxd-migrate
Package: lxd-tools
go-containerregistry
Package: cosign
Package: gitsign
Package: gittuf
Package: rekor
Package: sigstore-go
go-md2man-v2
Package: dasel
Package: didder
Package: distrobuilder
Package: docker-buildx
Package: docker-compose
Package: etcd-client
Package: etcd-server
Package: gh
Package: gitsign
Package: glab
Package: lego
Package: hugo
Package: incus
Package: incus-agent
Package: incus-base
Package: incus-client
Package: incus-extra
Package: lxd
Package: lxd-agent
Package: lxd-client
Package: lxd-migrate
Package: lxd-tools
Package: rclone
Package: syncthing
Package: syncthing-discosrv
Package: syncthing-relaysrv
Package: victoria-metrics
gopacket
Package: coredhcp-client
Package: coredhcp-server
Package: incus
Package: incus-agent
Package: incus-base
Package: incus-client
Package: incus-extra
Package: lxd
Package: lxd-agent
Package: lxd-client
Package: lxd-migrate
Package: lxd-tools
klibc
Package: mksh
nanosvg
Package: fuzzel
relic
Package: cosign
Package: gitsign
Package: gittuf
Package: rekor
Package: sigstore-go
tree-sitter
Package: sdml
Package: turtlefmt
tree-sitter-c
Package: neovim
tree-sitter-lua
Package: neovim
tree-sitter-markdown
Package: neovim
tree-sitter-query
Package: neovim
tree-sitter-sdml
Package: sdml
tree-sitter-vim
Package: neovim
tree-sitter-vimdoc
Package: neovim
trillian
Package: gitsign
Package: gittuf
Package: rekor
universal-detector
Package: unar
zlib
Package: gpgv-static
Package: sash
Best wishes,
Julian
Reply to: