On Wed, 2023-09-27 at 10:41 -0400, John Thorvald Wodder II wrote:

> So was this problem previously known but under-acknowledged, or was it simply
> not brought up before now?  I find it surprising that Debian would allow so
> many license violations to get this far.  Is fixing the tooling to handle this
> considered a priority?  If the author of an uncredited dependency were to
> complain, would Debian be more likely to focus on fixing the tooling posthaste
> or to just pull whatever packages use the dependency in question?

This is the first time this problem was brought up in Debian AFAICT.
Likely no-one thought about it because we are used to dynamic linking,
which doesn't have this problem. Several folks on different IRC
channels discussed the problem yesterday and it is possible the Rust
or Go teams might work on a debhelper addon to solve it. In theory it
could be possible to solve by copying the copyright files of static
libraries into the binary packages they are linked into, probably
using the Built-Using and Static-Build-Using fields. It will also
further bloat the binary packages of Rust/Go/etc based binaries.

We also noted that this is not just a Debian problem, but a problem
with every distro packaging statically linked stuff and with even the
upstream ecosystems, any project using static linking must deal with
this problem, so every single Rust/Go developer must deal with it.

These links point to some efforts to handle it in the Rust community:




Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to