[Edit April 22, 2024]:

• For the current status, please see this comment
• If you are an application developer trying to understand how to handle an ITMS-91053 response from Apple, please see this comment.

See #131495 for more background. This splits out the specific question of how packages should handle privacy manifests and required reason API metadata, and what the flutter needs to do to support that.

Background docs:

• https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api?language=objc
• https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests?language=objc

Capturing from my comment in the original issue:

It seems like we'll either need to:

• leave this up to app developers to deal with (e.g., via finding the transitive usage and asking developers to list the reasons in their READMEs), which isn't going to be a good experience, or
• build a system for arbitrary pub packages to declare privacy manifests, and for the tool to bundle them all together.

We'll also need to investigate how exactly Apple is defining what an SDK is from the standpoint of the automated checks. E.g., if someone's project is configured to build plugins as frameworks, rather than static libraries, will putting the manifests into those frameworks rather than the app be mandatory?