[Pkg-rust-maintainers] Bug#1115616: Debian NEW review note for uv 0.9.16+ds1-1

Antonin Delpeuch antonin at delpeuch.eu
Fri Apr 24 09:32:32 BST 2026 

Hi Richard,

Thanks a lot for reviewing this upload!

I've adjusted the debian/copyright in Salsa as indicated.

Looking at the contents of the test wheels, I tend to agree with awm 
that those test artifacts are safe to include, but I'm happy to work on 
removing them if the decision comes to that.

Best,

Antonin

On 23/04/2026 12:31, siretart at debian.org wrote:
> A reviewer has shared a note regarding uv 0.9.16+ds1-1:
>
> Findings and Blockers
>
>
>
>
>
>     * Incomplete Copyright Attribution: The files in crates/uv-python/python/packaging/ are derived from the packaging project. They are copyrighted by Donald Stufft
>
>
>       and individual contributors and licensed under BSD-2-Clause or Apache-2.0. This needs a dedicated stanza in debian/copyright.
>
>
>       Sadly, `dnq author-check` did not find this
>
>
>     * License Mismatch: crates/uv-platform/src/libc.rs contains code from glibc-version-rs which is Apache-2.0 only. The current debian/copyright catch-all ("Expat
>
>
>       or Apache-2.0") is technically inaccurate for this specific file.
>
>
>
>
>
>    Request for Team Input: scripts/links
>
>
>
>
>
>    The directory scripts/links/ contains over 20 pre-compiled .whl and .tar.gz files.
>
>
>
>
>
>     * The Issue: These are binary artifacts. Under a strict interpretation of DFSG #2 and the "preferred form for modification" rule, shipping compiled wheels in the
>
>
>       source tarball is generally prohibited for main.
>
>
>     * The Counter-Argument: These files are carefully curated test data used to verify uv's behavior (e.g., hash verification, publishing, and installation of
>
>
>       various wheel formats). They are not intended for modification or execution in the traditional sense, but rather as static targets for the tool's logic.
>
>
>     * The Question: Should we treat these curated test stubs as "data" that can remain, or must we adhere to the standard policy of excluding all binary blobs? If
>
>
>       they must be excluded, the test suite will require significant patching to generate these stubs on the fly during the build.
>
>
>
>
>
>    I would appreciate opinions from other team members on whether these specific curated test wheels are acceptable in main or if they must be moved to
>
>
>    Files-Excluded.
>
> -- Reinhard Tartler
>
> Full review details: https://dfsg-new-queue.debian.org/reviews/uv

More information about the Pkg-rust-maintainers mailing list