On Tue, 2023-09-26 at 14:20 -0400, John Thorvald Wodder II wrote:

> I suspect that this problem applies to all programs written in Go or Rust that
> Debian distributes.  Is Debian handling dependency licenses for these packages
> incorrectly, or is there something I'm missing?

Your analysis is correct, some extra context for this problem:

The problem you have identified applies to other statically linked
languages too, so I have updated the wiki page to link to it.


The problem can be more generally stated as; Debian aggregates the
copyright and license of source files we distribute but does not trace
the path from source files to compiled files, and therefore does not
trace which source files each generated file was created from and as a
subset of that problem, does therefore not trace the flow of copyright
and license information and does not aggregate that information and
does not discover license incompatibilities in the generated files.

This more general problem is very hard to impossible to solve, since it
would mean patching every single build toolchain and source package to
provide traces of the path from source files to compiled files and then
processing those traces to generate copyright info for binary packages.

The specific problem with Rust/Go/etc static linking might be solvable
by a new debhelper command that would read the Built-Using and related
fields and then append each of them to the DEBIAN/copyright files.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to