Hi, Most of the problems with wording have been fixed, except for the one I note below.
On Wed, 2024-08-21 at 23:45 +0200, Guillem Jover wrote: > > > +A package that needs domain name suffix data from the publicsuffix > > +binary package would list it in the ``Static-Built-Using`` field like > > +so: > > Perhaps reword these or preface with some text to make them more clear > they are just some examples for how the field could be used? I mean, I > guess this is implicit with the “would“, but perhaps making this > explicit is preferable in a document like this? > > (I'm also always a bit conflicted with examples that are based on real > current package data, because while this are then extremely clear right > now, they can quickly become obsolete or seem stale or odd after some > time has passed. :/ But I'm not sure what would be an alternative, and > I think this is something for the policy editors to weight in if at all.) The wording used in the examples and their nature is based on how they have been written in the Built-Using section already in the policy, which I quote below: > A package using the source code from the gcc-4.6-source binary package > built from the gcc-4.6 source package would have this field in its > control file: > > :: > > Built-Using: gcc-4.6 (= 4.6.0-11) > > A package including binaries from grub2 and loadlin would have this > field in its control file: > > :: > > Built-Using: grub2 (= 1.99-9), loadlin (= 1.6e-1) It would be beneficial for the policy editors to weigh in on this. > Beside these comments, which to me seem more on the editorial side, > I'm now happy with the essence of the text to second it, once it has > seen some wordsmithing. :) Please review the revised patch that is attached when you can. Thanks! -- Maytham Alsudany Debian Maintainer maytham @ OFTC maytha8 @ Libera
From 10783df49d99e48d3f7d2b528d216d005b19ba8c Mon Sep 17 00:00:00 2001
From: Maytham Alsudany <maytha8the...@gmail.com>
Date: Thu, 18 Apr 2024 22:29:01 +0300
Subject: [PATCH] Require use of Static-Built-Using to declare
statically-linked libraries
---
policy/ch-relationships.rst | 59 +++++++++++++++++++++++++++++++++++--
1 file changed, 57 insertions(+), 2 deletions(-)
diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
index fb9dae8..872f948 100644
--- a/policy/ch-relationships.rst
+++ b/policy/ch-relationships.rst
@@ -666,8 +666,8 @@ dependency to install.
.. _s-built-using:
-Additional source packages used to build the binary - ``Built-Using``
----------------------------------------------------------------------
+Additional source packages used to build the binary - ``Built-Using`` and ``Static-Built-Using``
+------------------------------------------------------------------------------------------------
Some binary packages incorporate parts of other packages when built
but do not have to depend on those packages. Examples include linking
@@ -676,6 +676,9 @@ package during the build. In this case, the source packages of those
other packages are part of the complete source (the binary package is
not reproducible without them).
+``Built-Using``
+~~~~~~~~~~~~~~~
+
When the license of either the incorporated parts or the incorporating
binary package requires that the full source code of the incorporating
binary package be made available, the ``Built-Using`` field must list
@@ -710,6 +713,58 @@ requirements to retain the referenced source packages. It should not
be added solely as a way to locate packages that need to be rebuilt
against newer versions of their build dependencies.
+``Static-Built-Using``
+~~~~~~~~~~~~~~~~~~~~~~
+
+This ``Static-Built-Using`` field must list source packages with an
+"exactly equal" ("=") version relation, which had their contents (like
+source code or data) incorporated into the binary package during the
+build.
+
+Cases where this field may be used include (but are not limited to)
+linking against static libraries in other packages, builds for
+source-centered languages such as Go and Rust, usage of header-only
+C/C++ libraries and injecting data blobs into code.
+
+This is useful to track whether the package might need to be rebuilt
+when source packages listed here have been updated. This is important
+to stay ahead of the package failing to build from source (FTBFS) with
+the updated versions of the listed source packages, or security
+updates in the listed source packages.
+
+Unlike Built-Using, the Debian archive will **not** retain the
+versions of the source packages listed in the Static-Built-Using
+field. This means that any package listed in Static-Built-Using that
+contains a license requiring its source code to be available must also
+simultaneously be listed in the Built-Using field.
+
+A package that needs domain name suffix data from the publicsuffix
+binary package would list it in the ``Static-Built-Using`` field like
+so:
+
+::
+
+ Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
+
+A package statically linked with a library from the
+golang-github-mattn-go-xmpp-dev binary package would have this field
+in its control file:
+
+::
+
+ Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
+
+A package statically linked with the libraries contained in the
+librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
+the latter is licensed under GPL-3+ (a license that requires full
+source code to be available), would have these fields in its control
+file:
+
+::
+
+ Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
+ Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (= 0.3.2-1+b1)
+
.. [#]
The relations ``<`` and ``>`` were previously allowed, but they were
confusingly defined to mean earlier/later or equal rather than
--
2.39.5
signature.asc
Description: This is a digitally signed message part
