[Pkg-rust-maintainers] Debian NEW review note for uv 0.9.16+ds1-1

[siretart at debian.org]

A reviewer has shared a note regarding uv 0.9.16+ds1-1:

Findings and Blockers





   * Incomplete Copyright Attribution: The files in crates/uv-python/python/packaging/ are derived from the packaging project. They are copyrighted by Donald Stufft


     and individual contributors and licensed under BSD-2-Clause or Apache-2.0. This needs a dedicated stanza in debian/copyright.


     Sadly, `dnq author-check` did not find this 


   * License Mismatch: crates/uv-platform/src/libc.rs contains code from glibc-version-rs which is Apache-2.0 only. The current debian/copyright catch-all ("Expat


     or Apache-2.0") is technically inaccurate for this specific file.





  Request for Team Input: scripts/links





  The directory scripts/links/ contains over 20 pre-compiled .whl and .tar.gz files. 





   * The Issue: These are binary artifacts. Under a strict interpretation of DFSG #2 and the "preferred form for modification" rule, shipping compiled wheels in the


     source tarball is generally prohibited for main.


   * The Counter-Argument: These files are carefully curated test data used to verify uv's behavior (e.g., hash verification, publishing, and installation of


     various wheel formats). They are not intended for modification or execution in the traditional sense, but rather as static targets for the tool's logic.


   * The Question: Should we treat these curated test stubs as "data" that can remain, or must we adhere to the standard policy of excluding all binary blobs? If


     they must be excluded, the test suite will require significant patching to generate these stubs on the fly during the build.





  I would appreciate opinions from other team members on whether these specific curated test wheels are acceptable in main or if they must be moved to


  Files-Excluded.

-- Reinhard Tartler

Full review details: https://dfsg-new-queue.debian.org/reviews/uv