Hi, Ping for further feedback or seconds for proposed policy change to clarify and document the use of the Static-Built-Using field.
On Sat, 2024-04-27 at 17:40 +0800, Maytham Alsudany wrote:
> Thanks for your input and suggestions. I've attached an updated patch with
> several changes, including improving making the description of the field more
> specific, adding another example that is not Go/Rust related, and improving
> the
> Rust example to show the simultaneous use of Static-Built-Using and
> Built-Using.
>
> I would greatly appreciate any more feedback for this new patch. If you
> believe
> that it is complete (and you are a DD), it would be very helpful if you could
> second this consensus and proposal.
[..]
> Below is the relevant part of the updated patch, to save you from downloading
> the attachment:
>
> ``Static-Built-Using``
> ~~~~~~~~~~~~~~~~~~~~~~
>
> This ``Static-Built-Using`` field must list source packages who's
> contents (like source code or data) were incorporated into the binary
> package during the build, including an "exactly equal" ("=") version
> relation on the version that was used to build that version of the
> incorporating binary package.
>
> Cases where this field may be used include (but are not limited to)
> linking against static libraries in other packages, builds for
> source-centered languages such as Go and Rust, usage of header-only
> C/C++ libraries and injecting data blobs into code.
>
> This is useful to track whether the package might need to be rebuilt
> when source packages listed here have been updated. This is important
> to stay ahead of the package failing to build from source (FTBFS) with
> the updated versions of the listed source packages, or security
> updates in the listed source packages.
>
> Unlike Built-Using, the Debian archive will **not** retain the
> versions of the source packages listed in the Static-Built-Using
> field. This means that any package listed in Static-Built-Using who's
> license requires its source code to be available must also
> simultaneously be listed in the Built-Using field.
>
> A package that needs domain name suffix data from the publicsuffix
> binary package would list it in the ``Static-Built-Using`` field like
> so:
>
> ::
>
> Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
>
> A package statically linked with a library from the
> golang-github-mattn-go-xmpp-dev binary package would have this field
> in its control file:
>
> ::
>
> Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
>
> A package statically linked with the libraries contained in the
> librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
> the latter is licensed under GPL-3+ (a license that requires full
> source code to be available), would have these fields in its control
> file:
>
> ::
>
> Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
> Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
--
Maytham Alsudany
Debian Maintainer
maytham @ OFTC
maytha8 @ Libera
From 06cf64756ff1ee66d845e86dcf5c9dafd4a84b39 Mon Sep 17 00:00:00 2001
From: Maytham Alsudany <maytha8the...@gmail.com>
Date: Thu, 18 Apr 2024 22:29:01 +0300
Subject: [PATCH] Require use of Static-Built-Using to declare
statically-linked libraries
---
policy/ch-relationships.rst | 60 +++++++++++++++++++++++++++++++++++--
1 file changed, 58 insertions(+), 2 deletions(-)
diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
index fb9dae8..636e2a5 100644
--- a/policy/ch-relationships.rst
+++ b/policy/ch-relationships.rst
@@ -666,8 +666,8 @@ dependency to install.
.. _s-built-using:
-Additional source packages used to build the binary - ``Built-Using``
----------------------------------------------------------------------
+Additional source packages used to build the binary - ``Built-Using`` and ``Static-Built-Using``
+------------------------------------------------------------------------------------------------
Some binary packages incorporate parts of other packages when built
but do not have to depend on those packages. Examples include linking
@@ -676,6 +676,9 @@ package during the build. In this case, the source packages of those
other packages are part of the complete source (the binary package is
not reproducible without them).
+``Built-Using``
+~~~~~~~~~~~~~~~
+
When the license of either the incorporated parts or the incorporating
binary package requires that the full source code of the incorporating
binary package be made available, the ``Built-Using`` field must list
@@ -710,6 +713,59 @@ requirements to retain the referenced source packages. It should not
be added solely as a way to locate packages that need to be rebuilt
against newer versions of their build dependencies.
+``Static-Built-Using``
+~~~~~~~~~~~~~~~~~~~~~~
+
+This ``Static-Built-Using`` field must list source packages who's
+contents (like source code or data) were incorporated into the binary
+package during the build, including an "exactly equal" ("=") version
+relation on the version that was used to build that version of the
+incorporating binary package.
+
+Cases where this field may be used include (but are not limited to)
+linking against static libraries in other packages, builds for
+source-centered languages such as Go and Rust, usage of header-only
+C/C++ libraries and injecting data blobs into code.
+
+This is useful to track whether the package might need to be rebuilt
+when source packages listed here have been updated. This is important
+to stay ahead of the package failing to build from source (FTBFS) with
+the updated versions of the listed source packages, or security
+updates in the listed source packages.
+
+Unlike Built-Using, the Debian archive will **not** retain the
+versions of the source packages listed in the Static-Built-Using
+field. This means that any package listed in Static-Built-Using who's
+license requires its source code to be available must also
+simultaneously be listed in the Built-Using field.
+
+A package that needs domain name suffix data from the publicsuffix
+binary package would list it in the ``Static-Built-Using`` field like
+so:
+
+::
+
+ Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
+
+A package statically linked with a library from the
+golang-github-mattn-go-xmpp-dev binary package would have this field
+in its control file:
+
+::
+
+ Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
+
+A package statically linked with the libraries contained in the
+librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
+the latter is licensed under GPL-3+ (a license that requires full
+source code to be available), would have these fields in its control
+file:
+
+::
+
+ Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
+ Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
+
.. [#]
The relations ``<`` and ``>`` were previously allowed, but they were
confusingly defined to mean earlier/later or equal rather than
--
2.39.2
signature.asc
Description: This is a digitally signed message part
