[pkg-gnupg-maint] Bug#1106800: gpgv-static: statically linked against glibc without a Built-Using: field
Aurelien Jarno
aurel32 at debian.org
Fri May 30 18:41:18 BST 2025
Hi Andreas,
On 2025-05-30 19:18, Andreas Metzler wrote:
> On 2025-05-30 Aurelien Jarno <aurel32 at debian.org> wrote:
> > control: tag -1 + patch
>
> > Hi,
>
> > On 2025-05-29 22:53, Aurelien Jarno wrote:
> > > Package: gpgv-static
> > > Version: 2.1.15-9
> > > Severity: serious
> > > Justification: Policy 7.8
> > >
> > > Dear maintainer,
> > >
> > > The gpgv-static package provides /usr/bin/gpgv-static which is
> > > statically linked against glibc.
> > >
> > > glibc is mostly is mostly licensed under the LGPL, which requires that
> > > the full source code of the incorporating binary package be made
> > > available. According to Debian Policy §7.8 [1] such a binary package
> > > MUST list the glibc source package (and possibly others) in the
> > > Built-Using: field.
>
> Hello Aureien,
>
> thanks for the report.
>
> > Please find attached a patch to fix that.
> [...]
>
> I do not think that is sufficient. Looking at debian/rules gpgv-static
> is built with the same configure flags as the gpgv udeb package and there
> we find:
> ametzler at argenau:/tmp$ objdump -p udeb/usr/bin/gpgv | grep NEEDED
> NEEDED libz.so.1
> NEEDED libgcrypt.so.20
> NEEDED libgpg-error.so.0
> NEEDED libc.so.6
Indeed you are correct. Note however that zlib's license does not
require sources to be provided, so it should not appear in Built-Using
(but can appear in Static-Built-Using).
> I will take a look at dh-builtusing, hopefull it will limit the ugliness.
Thanks, I just learned about that package. Indeed after adding
dh-sequence-builtusing to the build-depends, it's just a matter of
adding:
Built-Using: ${dh-builtusing:libc-dev-bin}
Plus of course the packages you listed above.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien at aurel32.net http://aurel32.net
More information about the pkg-gnupg-maint
mailing list