Jul 10, 2022 9:39:36 PM Richard Fontana <rfontana(a)redhat.com>:
If I understand
correctly (I have passing familiarity with Go and close to zero
understanding of how Go projects are built and packaged for Fedora)
the yq rpm would contain a binary that is statically linked against
golang-github-timtadh-data-structures, but the source package of the
yq rpm will not itself contain the source code of
golang-github-timtadh-data-structures (i.e. it won't be "vendored"
[bleh]), which however will be separately packaged in Fedora. Is that
accurate or am I misunderstanding?
Yes, that is correct. There are some go packages in Fedora that use bundled dependencies,
but the package in question is not one of them.
Surely this sort of question has
come up before for Fedora Go packages... or has it?
In general, I think packagers could use more guidance/documentation about this issue, but
here is the current situation:
I believe similar issues have been discussed on this ML, but more so related to rust.
(Rust binaries are also statically linked and built against unbundled dependencies in
Fedora.) The Rust Packaging Guidelines require that rust binaries' License tags
account for the licenses of their respective dependencies. AFAIK, rust packages that
contain binaries don't include the license *files* for their dependencies, though.
: The "dependencies" (rust crates) are only required at buildtime, again, due
to static linkage.
Most, if not all, unbundled go packages only account for the license of the code contained
in that SRPM.
I just saw that a package that claims to be MIT-licensed includes GPL'd code, and my
alarm bells went off. This is a bit of an unusal situation, as most go libraries are