Hi!
On Sat, 2024-04-27 at 17:40:49 +0800, Maytham Alsudany wrote:
> Thanks for your input and suggestions. I've attached an updated patch with
> several changes, including improving making the description of the field more
> specific, adding another example that is not Go/Rust related, and improving
> the
> Rust example to show the simultaneous use of Static-Built-Using and
> Built-Using.
Thanks for the update!
> From 06cf64756ff1ee66d845e86dcf5c9dafd4a84b39 Mon Sep 17 00:00:00 2001
> From: Maytham Alsudany <maytha8the...@gmail.com>
> Date: Thu, 18 Apr 2024 22:29:01 +0300
> Subject: [PATCH] Require use of Static-Built-Using to declare
> statically-linked libraries
>
> ---
> policy/ch-relationships.rst | 60 +++++++++++++++++++++++++++++++++++--
> 1 file changed, 58 insertions(+), 2 deletions(-)
>
> diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
> index fb9dae8..636e2a5 100644
> --- a/policy/ch-relationships.rst
> +++ b/policy/ch-relationships.rst
> @@ -710,6 +713,59 @@ requirements to retain the referenced source packages.
> It should not
> be added solely as a way to locate packages that need to be rebuilt
> against newer versions of their build dependencies.
>
> +``Static-Built-Using``
> +~~~~~~~~~~~~~~~~~~~~~~
> +
> +This ``Static-Built-Using`` field must list source packages who's
I'm not sure “who” would be idiomatic to refer to packages contents?
> +contents (like source code or data) were incorporated into the binary
> +package during the build, including an "exactly equal" ("=") version
> +relation on the version that was used to build that version of the
> +incorporating binary package.
I find the placement/phrasing after the “, including …” a bit
confusing, because I read it as a continuation from the “were
incorporated into the binary package during build“, instead of
”must list source packages”. It is also perhaps not clear that the
exact version restriction is mandatory.
> +Cases where this field may be used include (but are not limited to)
> +linking against static libraries in other packages, builds for
> +source-centered languages such as Go and Rust, usage of header-only
> +C/C++ libraries and injecting data blobs into code.
> +
> +This is useful to track whether the package might need to be rebuilt
> +when source packages listed here have been updated. This is important
> +to stay ahead of the package failing to build from source (FTBFS) with
> +the updated versions of the listed source packages, or security
> +updates in the listed source packages.
> +
> +Unlike Built-Using, the Debian archive will **not** retain the
> +versions of the source packages listed in the Static-Built-Using
> +field. This means that any package listed in Static-Built-Using who's
Same comment about “who“.
> +license requires its source code to be available must also
> +simultaneously be listed in the Built-Using field.
> +
> +A package that needs domain name suffix data from the publicsuffix
> +binary package would list it in the ``Static-Built-Using`` field like
> +so:
Perhaps reword these or preface with some text to make them more clear
they are just some examples for how the field could be used? I mean, I
guess this is implicit with the “would“, but perhaps making this
explicit is preferable in a document like this?
(I'm also always a bit conflicted with examples that are based on real
current package data, because while this are then extremely clear right
now, they can quickly become obsolete or seem stale or odd after some
time has passed. :/ But I'm not sure what would be an alternative, and
I think this is something for the policy editors to weight in if at all.)
> +
> +::
> +
> + Static-Built-Using: publicsuffix (= 20231001.0357-0.1)
> +
> +A package statically linked with a library from the
> +golang-github-mattn-go-xmpp-dev binary package would have this field
> +in its control file:
> +
> +::
> +
> + Static-Built-Using: golang-github-mattn-go-xmpp (= 0.2.0-1)
> +
> +A package statically linked with the libraries contained in the
> +librust-gtk4-dev and librust-pulsectl-rs-dev binary packages, where
> +the latter is licensed under GPL-3+ (a license that requires full
> +source code to be available), would have these fields in its control
> +file:
> +
> +::
> +
> + Built-Using: rust-pulsectl-rs (= 0.3.2-1+b1)
> + Static-Built-Using: rust-gtk4 (= 0.7.3-3), rust-pulsectl-rs (=
> 0.3.2-1+b1)
> +
> .. [#]
> The relations ``<`` and ``>`` were previously allowed, but they were
> confusingly defined to mean earlier/later or equal rather than
Beside these comments, which to me seem more on the editorial side,
I'm now happy with the essence of the text to second it, once it has
seen some wordsmithing. :)
Thanks,
Guillem
