On 2025-05-30 Aurelien Jarno <[email protected]> wrote:

control: tag -1 + patch

Hi,

On 2025-05-29 22:53, Aurelien Jarno wrote:

Package: gpgv-static
Version: 2.1.15-9
Severity: serious
Justification: Policy 7.8

Dear maintainer,

The gpgv-static package provides /usr/bin/gpgv-static which is
statically linked against glibc.

glibc is mostly is mostly licensed under the LGPL, which requires that
the full source code of the incorporating binary package be made
available. According to Debian Policy �7.8 [1] such a binary package
MUST list the glibc source package (and possibly others) in the Built-Using: field.

Hello Aureien,

thanks for the report.

Please find attached a patch to fix that.

[...]

I do not think that is sufficient. Looking at debian/rules gpgv-static
is built with the same configure flags as the gpgv udeb package and there
we find:
ametzler@argenau:/tmp$ objdump -p udeb/usr/bin/gpgv | grep NEEDED
NEEDED libz.so.1
NEEDED libgcrypt.so.20
NEEDED libgpg-error.so.0
NEEDED libc.so.6

I will take a look at dh-builtusing, hopefull it will limit the ugliness.

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)