On 2025-08-05 12:34:59 +0200, Fabian Grünbichler wrote: > On Tue, Aug 05, 2025 at 09:54:35AM +0100, Julian Gilbey wrote: > > On Tue, Aug 05, 2025 at 12:48:58AM +0200, Guillem Jover wrote: > > > > I would therefore propose changing the Static-Built-Using field to use > > > > *binary* packages and versions rather than *source* packages and > > > > versions to fix this. > > > > > > > > At present, there are only about 250 packages in testing that use the > > > > Static-Built-Using field, so the impact would be manageable. > > > > > > > > > > > > But there may be a really good reason to use source package versions > > > > instead; it would be helpful to hear those. > > > > > > Although we have some tooling generating the fields (mainly in the Go > > > and Rust teams), I don't think there's currently tooling in Debian > > > consuming the fields yet. But then also, the fields have been documented > > > with those semantics since dpkg 1.21.3 (as present in Debian bookworm), > > > so there could be local reliance on those. :/ > > > > That's good to know. I also doubt there's much local reliance on > > those, given how little they've been used within the main archive, and > > I expect that anyone who is relying on them locally will be competent > > enough to cope with this proposed (breaking) change. I would also > > expect that any local users relying on this field would appreciate the > > benefit of the changes proposed. > > CCing Stefan, who currently schedules binNMUs based on Built-Using and > Extra-Source-Only, IIRC. not sure whether RT already acts on S-B-U > anywhere as well, in addition to that?
Not yet. We could use it to rebuild packages that are affected by a security issue in, say, a rust crate that is referenced via Static-Built-Usig. We never had the use case so far, though. Cheers > > > > If there is consensus that we'd want the more precise (although in > > > many cases possibly irrelevant) information tracking, I'd be fine > > > with the changed semantics, and I'd be happy to update the > > > deb-control(5) man pages. Taking into account that while it feels > > > early enough in Debian terms (given that we currently have no > > > consumers that I'm aware of), this has the unknown of potential local > > > users. > > > > If there is consensus on this, then given what you've pointed out > > above, we should probably tighten up the wording of the proposal to > > indicate that Static-Built-Using should only list packages whose > > upgrading should trigger a rebuild of the package, for example > > packages whose content is embedded in the resulting binary package. > > But the compiler used should not generally be included in this field. > > note that for Rust, this is for the most part not true - except for > niche use cases (nostd, like when building embedded things or Linux > kernel stuff), the standard library which is part of the toolchain > packages *is* statically linked into any Rust executable. and even for > nostd, the same applies to a smaller standard library (libcore). > > so while Static-Built-using rustc could go away following this line of > reasoning (which I do agree with - grave compiler codegen bugs warrant > rebuilding the world anyway), libstd-rust-dev would remain. -- Sebastian Ramacher
