Review: uv 0.9.16+ds1-1
New Package Report
.changes
| Source | uv |
|---|---|
| Version | 0.9.16+ds1-1 |
| Changed-By | Andrius Merkys |
| Architecture | source amd64 |
| Distribution | unstable |
| Date | Wed, 22 Apr 2026 03:30:51 -0400 |
Changelog
uv (0.9.16+ds1-1) unstable; urgency=medium . * Initial release. (Closes: #1115616)
.dsc
| Priority | optional |
|---|---|
| Component | main |
| Package-List | python3-uv-build deb python optional arch=any |
| Section | python |
debian/copyright
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: uv
Upstream-Contact:
William Woodruff <william@astral.sh>
Zanie Blue <contact@zanie.dev>
Source: https://github.com/astral-sh/uv
Files-Excluded:
**/*.bat
**/*.exe
ecosystem
crates/uv-trampoline-builder
Files: *
Copyright: 2025 Astral Software Inc. <hey@astral.sh>
License: Expat or Apache-2.0
Files: crates/uv-virtualenv/src/activator/*
Copyright: 2020-202x The virtualenv developers
License: Expat
Files: crates/uv-pep440/*
Copyright: 2023 konstin
License: Apache-2.0 or BSD-2-clause
Files: crates/uv-client/src/remote_metadata.rs
Copyright: 2023 prefix.dev GmbH
License: BSD-3-clause
Files: crates/uv-extract/src/vendor/*
Copyright: 2022 Google LLC
License: Expat or Apache-2.0
Files: crates/uv-python/fetch-download-metadata.py
Copyright: 2023 Armin Ronacher
License: Expat
Files: crates/uv-python/src/sysconfig/*
Copyright: 2024 Ulrik Sverdrup "bluss"
License: Expat
Files: crates/uv-build-frontend/src/pipreqs/*
Copyright: 2015 Vadim Kravcenko
License: Apache-2.0
Files: crates/uv-pep508/*
Copyright: 2023 konstin
License: Apache-2.0 or BSD-2-clause
Files: crates/uv-torch/src/backend.rs
Copyright: 2020 Philip Meier
License: BSD-3-clause
Files: .github/workflows/release.yml
Copyright: 2022-2024 axodotdev
License: Expat or Apache-2.0
Files: debian/*
Copyright:
2025 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
2025 Antonin Delpeuch <antonin@delpeuch.eu>
License: Expat or Apache-2.0
License: Apache-2.0
Debian systems provide the Apache 2.0 license in
/usr/share/common-licenses/Apache-2.0
License: Expat
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
.
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License: BSD-3-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
.
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Review Information
rejected — allocated to siretart 14 days ago, started 14 days ago, completed 13 days ago.
Final Comment
Findings and Blockers
Incomplete Copyright Attribution: The files in crates/uv-python/python/packaging/ are derived from the packaging project. They are copyrighted by Donald Stufft and individual contributors and licensed under BSD-2-Clause or Apache-2.0. This needs a dedicated stanza in debian/copyright.
License Mismatch: crates/uv-platform/src/libc.rs contains code from glibc-version-rs which is Apache-2.0 only. The current debian/copyright catch-all ("Expat or Apache-2.0") is technically inaccurate for this specific file.
Regarding the included test cases, I concur with Andrew. Please make a note in Debian/copyright along the lines "the binary files in scripts/links are carefully curated test fixtures that accompany the tests. They are easily unpacked and have trivial contents".
Thanks for working on the package, I'm looking forward to accepting the package with the issues above fixed.
Public Notes
Findings and Blockers
- Incomplete Copyright Attribution: The files in crates/uv-python/python/packaging/ are derived from the packaging project. They are copyrighted by Donald Stufft
and individual contributors and licensed under BSD-2-Clause or Apache-2.0. This needs a dedicated stanza in debian/copyright.
Sadly,dnq author-checkdid not find this - License Mismatch: crates/uv-platform/src/libc.rs contains code from glibc-version-rs which is Apache-2.0 only. The current debian/copyright catch-all ("Expat
or Apache-2.0") is technically inaccurate for this specific file.
Request for Team Input: scripts/links
The directory scripts/links/ contains over 20 pre-compiled .whl and .tar.gz files.
- The Issue: These are binary artifacts. Under a strict interpretation of DFSG #2 and the "preferred form for modification" rule, shipping compiled wheels in the
source tarball is generally prohibited for main. - The Counter-Argument: These files are carefully curated test data used to verify uv's behavior (e.g., hash verification, publishing, and installation of
various wheel formats). They are not intended for modification or execution in the traditional sense, but rather as static targets for the tool's logic. - The Question: Should we treat these curated test stubs as "data" that can remain, or must we adhere to the standard policy of excluding all binary blobs? If
they must be excluded, the test suite will require significant patching to generate these stubs on the fly during the build.
I would appreciate opinions from other team members on whether these specific curated test wheels are acceptable in main or if they must be moved to
Files-Excluded.
As far as I am concerned any .tar.gz files are trivially able to be unpacked and are therefore functionally equivalent to their unpacked contents. What is slightly less obvious is that .whl files are also compressed archives, and so are also functionally equivalent to their unpacked contents.
I have no problem accepting these within the package. The process of constructing an archive from source is a deliberately reversible one, unlike the process of compiling source into a binary.