Package: dar-static Version: 2.7.15-2 Severity: normal Policy ยง7.8 says that the Built-Using field "should be used only when there are license or DFSG requirements to retain the referenced source packages". This seems to be true for about half of the dependencies of dar-static.
dpkg now has a second similar field, Static-Built-Using, which can/should be used for permissively-licensed dependencies. If I'm reading correctly, packages with a requirement to retain source code (most commonly (L)GPL packages) should now be listed in both Built-Using *and* Static-Built-Using, and packages with no such requirement should now be listed in Static-Built-Using only. There's more discussion in <https://bugs.debian.org/1069256>. Taking trixie amd64 as an example, dar-static declares Built-Using on: argon2 (= 0~20190702+dfsg-4) bzip2 (= 1.0.8-6) curl (= 8.9.1-2) e2fsprogs (= 1.47.1-1) glibc (= 2.40-2) gpgme1.0 (= 1.18.0-6) libassuan (= 2.5.6-1) libcap2 (= 1:2.66-5) libgcrypt20 (= 1.11.0-6) libnsl (= 1.3.0-3) librsync (= 2.3.4-1.1) libthreadar (= 1.5.0-1) libzstd (= 1.5.6+dfsg-1) lz4 (= 1.9.4-3) lzo2 (= 2.10-3) openssl (= 3.3.2-1) zlib (= 1:1.3.dfsg+really1.3.1-1) If I'm reading correctly, many of those packages are permissively-licensed (BSD-style licensing) and therefore we do not need to retain their source code just because a derivative of it was statically linked into dar-static, so they can be in Static-Built-Using only: * argon2: CC0 or Apache-2.0 * bzip2: BSD variant * curl: MIT variant * libcap2: BSD or GPL, we can choose BSD * libzstd: BSD or GPL, we can choose BSD * lz4: library code is BSD * openssl: Apache-2.0 * zlib: BSD-style Other packages still *do* need to be in Built-Using, because they are copyleft: * e2fsprogs: GPL * glibc: LGPL * gpgme1.0: variously LGPL and GPL * libassuan: LGPL * libgcrypt20: LGPL * libnsl: LGPL * librsync: LGPL * libthreadar: LGPL * lzo2: GPL For example, in the current state of the archive, I think dropping curl from dar-static's Built-Using would allow curl (= 8.10.0-2), which is newer than testing but older than unstable, to be dropped. smcv
