[pkg-gnupg-maint] Bug#1106800: gpgv-static: statically linked against glibc without a Built-Using: field
Andreas Metzler
ametzler at bebt.de
Fri May 30 18:18:22 BST 2025
On 2025-05-30 Aurelien Jarno <aurel32 at debian.org> wrote:
> control: tag -1 + patch
> Hi,
> On 2025-05-29 22:53, Aurelien Jarno wrote:
> > Package: gpgv-static
> > Version: 2.1.15-9
> > Severity: serious
> > Justification: Policy 7.8
> >
> > Dear maintainer,
> >
> > The gpgv-static package provides /usr/bin/gpgv-static which is
> > statically linked against glibc.
> >
> > glibc is mostly is mostly licensed under the LGPL, which requires that
> > the full source code of the incorporating binary package be made
> > available. According to Debian Policy §7.8 [1] such a binary package
> > MUST list the glibc source package (and possibly others) in the
> > Built-Using: field.
Hello Aureien,
thanks for the report.
> Please find attached a patch to fix that.
[...]
I do not think that is sufficient. Looking at debian/rules gpgv-static
is built with the same configure flags as the gpgv udeb package and there
we find:
ametzler at argenau:/tmp$ objdump -p udeb/usr/bin/gpgv | grep NEEDED
NEEDED libz.so.1
NEEDED libgcrypt.so.20
NEEDED libgpg-error.so.0
NEEDED libc.so.6
I will take a look at dh-builtusing, hopefull it will limit the ugliness.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the pkg-gnupg-maint
mailing list