Package: sq Version: 1.3.1-2+b2 Severity: normal The `sq` binary package claims `LGPL-2.0-or-later` as its license. However, the binary statically links Rust dependencies whose licenses are incompatible with LGPL-2.0, making the effective license of the distributed binary incorrect.
Specifically: 1. librust-nettle-dev: licensed `LGPL-3.0 or GPL-2.0 or GPL-3.0` The LGPL-3.0 option here is not satisfiable under LGPL-2.0-or-later without upgrading to LGPL-3.0, since LGPL-2.0 and LGPL-3.0 are not directly compatible (LGPL-3.0 imposes additional requirements). 2. librust-gethostname-dev: licensed `Apache-2.0` Apache-2.0 is compatible with LGPL-3.0 but not with LGPL-2.0 (due to patent termination and indemnity clauses conflicting with GPLv2-family terms). It is compatible starting from GPL-3.0 / LGPL-3.0. Since the sq binary statically incorporates code from both of these dependencies, the effective license of the combined work must be LGPL-3.0 or GPL-3.0 to satisfy all dependency license requirements. Other Sequoia packages are affected by the same issue, notably sqv, which also statically links librust-nettle-dev. Suggested fix: Update the declared license of the binary package(s) to LGPL-3.0. -- System Information: Debian Release: 13.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.18.12-gentoo-dist (SMP w/32 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages sq depends on: ii libbz2-1.0 1.0.8-6 ii libc6 2.41-12+deb13u2 ii libgcc-s1 14.2.0-19 ii libgmp10 2:6.3.0+dfsg-3 ii libhogweed6t64 3.10.1-1 ii libnettle8t64 3.10.1-1 ii libsqlite3-0 3.46.1-7+deb13u1 ii libssl3t64 3.5.5-1~deb13u2 sq recommends no packages. sq suggests no packages. -- no debconf information
