[Pkg-rust-maintainers] Bug#1133920: sq: Binary license should be LGPL-3.0, not LGPL-2.0-or-later, due to statically linked dependencies

NGG ngg at ngg.hu
Wed Apr 15 19:38:45 BST 2026 

Package: sq
Version: 1.3.1-2+b2
Severity: normal

The `sq` binary package claims `LGPL-2.0-or-later` as its license. However,
the binary statically links Rust dependencies whose licenses are
incompatible
with LGPL-2.0, making the effective license of the distributed binary
incorrect.

Specifically:

1. librust-nettle-dev: licensed `LGPL-3.0 or GPL-2.0 or GPL-3.0`
   The LGPL-3.0 option here is not satisfiable under LGPL-2.0-or-later
   without upgrading to LGPL-3.0, since LGPL-2.0 and LGPL-3.0 are not
   directly compatible (LGPL-3.0 imposes additional requirements).

2. librust-gethostname-dev: licensed `Apache-2.0`
   Apache-2.0 is compatible with LGPL-3.0 but not with LGPL-2.0 (due to
   patent termination and indemnity clauses conflicting with GPLv2-family
   terms). It is compatible starting from GPL-3.0 / LGPL-3.0.

Since the sq binary statically incorporates code from both of these
dependencies, the effective license of the combined work must be
LGPL-3.0 or GPL-3.0 to satisfy all dependency license requirements.

Other Sequoia packages are affected by the same issue, notably sqv,
which also statically links librust-nettle-dev.

Suggested fix: Update the declared license of the binary package(s) to
LGPL-3.0.

-- System Information:
Debian Release: 13.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.18.12-gentoo-dist (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages sq depends on:
ii  libbz2-1.0      1.0.8-6
ii  libc6           2.41-12+deb13u2
ii  libgcc-s1       14.2.0-19
ii  libgmp10        2:6.3.0+dfsg-3
ii  libhogweed6t64  3.10.1-1
ii  libnettle8t64   3.10.1-1
ii  libsqlite3-0    3.46.1-7+deb13u1
ii  libssl3t64      3.5.5-1~deb13u2

sq recommends no packages.

sq suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20260415/557fe3a5/attachment.htm>

More information about the Pkg-rust-maintainers mailing list