Maytham Alsudany <maytha8the...@gmail.com> writes:
> +``Static-Built-Using``
> +~~~~~~~~~~~~~~~~~~~~~~
> +
> +This ``Static-Built-Using`` field must list source packages with an
> +"exactly equal" ("=") version relation, which had their contents (like
> +source code or data) incorporated into the binary package during the
> +build.I have a (possibly non-typical) situation that I believe warrant use of Static-Built-Using and I find the above explanation ambiguous wrt if the transitive closure of packages should be included or not. (A side-note is that referring to source package names in 'Static-Built-Using' makes it hard to know which binary package from that source package actually ship the embedded code. I suspect it is too late to change this though.) My naive reading of the text above suggests that ALL source packages with that property ought to be included. I'm not certain that is a good idea or even if this is intended. My situation is that 'tkey-ssh-agent' embeds a RISCV firmware app blob which comes from the 'tillitis-tkey-device-signer' package which embeds RISCV object code from the 'tillitis-tkey-libs' package. In an upcoming upload, I plan to add Static-Built-Using: tillitis-tkey-libs (= 0.1.2-2) to the 'tillitis-tkey-device-signer' package. However, what is the right header for the 'tkey-ssh-agent' package? Naively interpreted, I think the above policy would suggest this: Static-Built-Using: tillitis-tkey-libs (= 0.1.2-2), tillitis-tkey-device-signer (= 0.1.2-2) However is that useful? Wouldn't the following be sufficient: Static-Built-Using: tillitis-tkey-device-signer (= 0.1.2-2) Code that goes looking at the 'tillitis-tkey-device-signer' source package ought to be able to find that one of its binary packages, namely 'tillitis-tkey-device-signer', has a Static-Built-Using on another package. The problem with interpreting the text above as indicating the transitive closure is that there may be no end to the list. For example, 'tillitis-tkey-libs' most likely embeds static code coming from the compiler, in the 'clang-19' package (or some other dependent package of 'clang-19'). Should 'clang-19' be added to 'Static-Built-Using'? Recursively, I suspect that the 'clang-19' binary package in Debian of version X either embeds static code coming from gcc version Y or clang version X-1. Should 'clang-19' have a Static-Built-Using on its compiler? I'm not sure this is useful or intended. Maybe adding an example for embedded static C object code like this would help clarify the intention. /Simon
signature.asc
Description: PGP signature
