On 11/01/19 10:07, Santiago Vila wrote: > On Fri, Jan 11, 2019 at 09:48:44AM +0100, Tomasz Buchert wrote: > > > they are there, because upstream uses this to also release new versions. > > An unfortunately, in the past my upstream wasn't very responsive. > > > > I used the fasm binary in the first upload to bootstrap everything. I > > can repack the source, but since I never use these binaries, I don't > > think it is such a big deal (and I dislike repackaging in general as > > this replaces one problem (binary files) with with a different > > security problem (original tarballs are tampered with)). > > > > Let me know what you think. > > I could understand the small benefit of being able to verify more > easily that the source is the original from upstream, but I also > believe they should not be there as a matter of principles, i.e. > source is source and binaries are binaries. > > So, as a compromise, I would suggest at least forwarding the bug > upstream and keeping it open until upstream removes the binaries > himself. > > Thanks.
Putting aside lack of upstream bug tracking and general lack of responsiveness, mind you that fasm is an assembler which needs bootstrapping. Even if Debian has the fasm package prebuilt (after me bootstrapping it in the first two uploads), it would be a bit unreasonable to expect upstream to cater to such scenario given that there are way more linux distributions around and fasm is not as commonly available as a C compiler, for example. https://lintian.debian.org/tags/source-contains-prebuilt-binary.html mentions that "You may want to report this as an upstream bug, in case there is no sign that this was intended.", but this is intended. Given above I'm going to tentatively close it. Feel free to reopen if you disagree.
signature.asc
Description: PGP signature
