On Fri, Feb 04, 2022 at 11:06:53AM +0100, Yadd wrote: > > Thanks for your work! > > I had a question: wouldn't that be a violation of the policy? > > Since at the same link you passed, it says: > > > > | This field should be used only when there are license or DFSG > > requirements to > > | retain the referenced source packages. It should not be added solely > > as a way > > | to locate packages that need to be rebuilt against newer versions of > > their build dependencies. > > You're right, it's probably not the good field.
Yes, Built-Using has a specific goal and it affects how dak retains
source packages even when no binaries are coming from them.
Don't add such field needlessly.
> > Although the goal here is to track CVE's, but it does not seem to do
> > much with licenses.
> >
> > Actually, even golang team uses something similar (not exactly same);
> > please consider to look at this link[2]
> > and they were thinking of doing
> > it on something on the lines of the rust team, i.e. introducing a
> > XS-<lang>-Built-Using or something similar;
> > do you think using a XS-javascript-Built-Using could be a more sensible
> > option on our side?
> >
> > Let me know.
>
> Or X-Javascript-Built-Using ?
You'd likely need to use XB- so that it gets into the binary packages
and then in the Packages index file (I think).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
