On 2025-05-30 Aurelien Jarno <aure...@debian.org> wrote: > control: tag -1 + patch
> Hi, > On 2025-05-29 22:53, Aurelien Jarno wrote: > > Package: gpgv-static > > Version: 2.1.15-9 > > Severity: serious > > Justification: Policy 7.8 > > > > Dear maintainer, > > > > The gpgv-static package provides /usr/bin/gpgv-static which is > > statically linked against glibc. > > > > glibc is mostly is mostly licensed under the LGPL, which requires that > > the full source code of the incorporating binary package be made > > available. According to Debian Policy ยง7.8 [1] such a binary package > > MUST list the glibc source package (and possibly others) in the > > Built-Using: field. Hello Aureien, thanks for the report. > Please find attached a patch to fix that. [...] I do not think that is sufficient. Looking at debian/rules gpgv-static is built with the same configure flags as the gpgv udeb package and there we find: ametzler@argenau:/tmp$ objdump -p udeb/usr/bin/gpgv | grep NEEDED NEEDED libz.so.1 NEEDED libgcrypt.so.20 NEEDED libgpg-error.so.0 NEEDED libc.so.6 I will take a look at dh-builtusing, hopefull it will limit the ugliness. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
