On Fri, Jan 11, 2019 at 09:48:44AM +0100, Tomasz Buchert wrote: > they are there, because upstream uses this to also release new versions. > An unfortunately, in the past my upstream wasn't very responsive. > > I used the fasm binary in the first upload to bootstrap everything. I > can repack the source, but since I never use these binaries, I don't > think it is such a big deal (and I dislike repackaging in general as > this replaces one problem (binary files) with with a different > security problem (original tarballs are tampered with)). > > Let me know what you think.
I could understand the small benefit of being able to verify more easily that the source is the original from upstream, but I also believe they should not be there as a matter of principles, i.e. source is source and binaries are binaries. So, as a compromise, I would suggest at least forwarding the bug upstream and keeping it open until upstream removes the binaries himself. Thanks.