Built-Using ----------- From https://www.debian.org/doc/debian-policy/ch-relationships.html: "7.8 Additional source packages used to build the binary - Built-Using Some binary packages incorporate parts of other packages when built but do not have to depend on those packages. Examples include linking with static libraries or incorporating source code from another package during the build. In this case, the source packages of those other packages are a required part of the complete source (the binary package is not reproducible without them). A Built-Using field must list the corresponding source package for any such binary package incorporated during the build [56], including an "exactly equal" ("=") version relation on the version that was used to build that binary package." Considering the above, UCT/scripts/report-built-using.py can be used to examine the Packages files (as from packages_mirror) and report the version of the package they are importing. For example: $ ./scripts/report-built-using.py glibc Source (version) Pocket Component Used by ------------------------------------------------------------------------------ ... glibc (2.19-10ubuntu2) wily main aide The above shows that the aide source package in wily was built using files from glibc 2.19-10ubuntu2 binaries. See './scripts/report-built-using.py --help' for more examples. When triaging CVEs, the report-built-using.py command can be used to see if other packages are candidates for a no change rebuild when the affected source is fixed. golang ------ golang 1.4 and earlier does not have shared library support. "Go 1.5 can produce Go shared libraries that can be consumed by Go programs.... Go 1.5 can also build Go programs as C archive files (for static linking) or shared libraries (for dynamic linking) that can be consumed by C programs."[1] golang will not have shared library support for all architectures though (eg, arm64) but this support is coming. Because 1.5 is not available in Debian or Ubuntu yet, golang packages are statically compiled. They may use Build-Depends in their packaging[2] to depend on other go libraries and this will install the source files for those libraries on the system for the build to use to statically compile everything together. When a source package does this, it should use Built-Using in its control file so that the produced binaries have the proper Built-Using that follows Debian policy[3]. In general, packages should use dh-golang and dh-make-golang. NOTE REGARDING OFFICIALLY SUPPORTED STATICALLY COMPILED GOLANG PACKAGES: golang packages that need to be rebuilt because they are Built-Using an out of date package that has received a security update will be rebuilt by the Ubuntu Security team. Testing will in general not be performed by the Ubuntu Security team for rebuilt packages that receive community support. For packages that receive official support, the Ubuntu Security team will notify affected upstreams that rebuilt packages are available for testing and will publish the rebuilt packages at a later date. [1]https://talks.golang.org/2015/state-of-go-may.slide#13 [2]http://pkg-go.alioth.debian.org/packaging.html