[Pkg-rust-maintainers] Bug#1133920: sq: Binary license should be LGPL-3.0, not LGPL-2.0-or-later, due to statically linked dependencies

Fabian Grünbichler debian at fabian.gruenbichler.email
Thu Apr 16 07:56:27 BST 2026 

On Wed, 15 Apr 2026 20:38:45 +0200 NGG <ngg at ngg.hu> wrote:
> Package: sq
> Version: 1.3.1-2+b2
> Severity: normal
> 
> The `sq` binary package claims `LGPL-2.0-or-later` as its license. However,
> the binary statically links Rust dependencies whose licenses are
> incompatible
> with LGPL-2.0, making the effective license of the distributed binary
> incorrect.
> 
> Specifically:
> 
> 1. librust-nettle-dev: licensed `LGPL-3.0 or GPL-2.0 or GPL-3.0`
>    The LGPL-3.0 option here is not satisfiable under LGPL-2.0-or-later
>    without upgrading to LGPL-3.0, since LGPL-2.0 and LGPL-3.0 are not
>    directly compatible (LGPL-3.0 imposes additional requirements).
> 
> 2. librust-gethostname-dev: licensed `Apache-2.0`
>    Apache-2.0 is compatible with LGPL-3.0 but not with LGPL-2.0 (due to
>    patent termination and indemnity clauses conflicting with GPLv2-family
>    terms). It is compatible starting from GPL-3.0 / LGPL-3.0.
> 
> Since the sq binary statically incorporates code from both of these
> dependencies, the effective license of the combined work must be
> LGPL-3.0 or GPL-3.0 to satisfy all dependency license requirements.
> 
> Other Sequoia packages are affected by the same issue, notably sqv,
> which also statically links librust-nettle-dev.
> 
> Suggested fix: Update the declared license of the binary package(s) to
> LGPL-3.0.

Debian does not carry copyright information on built executables, just
of the sources. Or as Pabs put it in the first reply to the referenced
thread below:

Pabs on debian-legal wrote:
> The problem can be more generally stated as; Debian aggregates the
> copyright and license of source files we distribute but does not trace
> the path from source files to compiled files, and therefore does not
> trace which source files each generated file was created from and as a
> subset of that problem, does therefore not trace the flow of copyright
> and license information and does not aggregate that information and
> does not discover license incompatibilities in the generated files.

https://lists.debian.org/debian-legal/2023/09/msg00001.html

That mostly covered things like missing notices, not transforming
licensing stanzas for situations like the one you describe above.

It still might make sense to change the license upstream to reflect the
de-facto license of what ends up getting distributed in practice, to
avoid confusion.

Fabian

More information about the Pkg-rust-maintainers mailing list