Bug#1069256: debian-policy: clarify requirement for use of Static-Built-Using
Hi!
On Tue, Aug 05, 2025 at 12:48:58AM +0200, Guillem Jover wrote:
> [...]
> > Note that these fields refer to version 0.3.2-1+b1, which is a binNMU
> > version, not a source package version (though it may be the source
> > package name). So this would presumably not be acceptable. But as
> > the primary purpose of the Static-Built-Using field is to record the
> > versions of packages used during the build, surely we should be using
> > *binary* packages and versions in this field, not the *source*
> > packages and versions?
>
> To give some context, the new field came about when concerns were
> raised about reuse of Built-Using for the non-license cases. So the
> field naturally inherited the previous semantics, just in a different
> field. (But I'm not saying this to argue that this is thus correct. :)
I've been thinking a bit more about this field, and wondered if we
could tighten up its purpose? The current wording in deb-control
says:
This is useful to track whether this package might need to be
rebuilt when source packages listed here have been updated, for
example due to security updates.
Could we say instead something like this?
When packages listed here are updated, this package should also be
updated, for example because of changed functionality potentially
impacting the package behaviour, or for security updates.
Then this opens the door to potentially using it for automatic
rebuilding, rather than just a convenient place to list packages that
were used during the build process. (The buildinfo files already do
that, though I don't believe we currently retain them, which is a
shame.)
Best wishes,
Julian
Reply to: